Bump to 0.6.5

Detect misconfiguration on downgrade
Reset min required HA
2026-02-06 12:41:03 +01:00 · 2026-02-06 11:54:04 +01:00 · 2026-02-06 11:44:41 +01:00 · 2026-02-06 11:42:14 +01:00 · 2026-02-06 11:40:37 +01:00 · 2026-02-06 11:38:01 +01:00
42 changed files with 4600 additions and 585 deletions
--- a/.github/workflows/hacs.yaml
+++ b/.github/workflows/hacs.yaml
@@ -5,6 +5,7 @@ on:
  push:
    branches:
    - main
    - release/*
  pull_request:
  schedule:
  - cron: "0 0 * * *"
@@ -13,10 +14,8 @@ jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
    - name: HACS validation
-        uses: hacs/action@main
+      uses: hacs/action@22.5.0
      with:
        category: "integration"
          ignore: brands
--- a/.github/workflows/hassfest.yaml
+++ b/.github/workflows/hassfest.yaml
@@ -5,6 +5,7 @@ on:
  push:
    branches:
    - main
    - release/*
  pull_request:
  schedule:
  - cron: "0 0 * * *"
@@ -13,5 +14,5 @@ jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
    - uses: home-assistant/actions/hassfest@master
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -5,16 +5,21 @@ on:
  push:
  pull_request:
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
-      - name: Install the latest version of rye
+    - name: "Set up Python"
-        uses: eifinger/setup-rye@v4
+      uses: actions/setup-python@v5
      with:
        python-version-file: ".python-version"
    - name: Install the latest version of uv
      uses: astral-sh/setup-uv@v6
      with:
        enable-cache: true
    - name: Sync dependencies
-        run: rye sync
+      run: scripts/sync
-      - name: Lint (pylint/rye lint)
+    - name: Lint (pylint/ruff lint)
-        run: rye run check
+      run: scripts/check
--- a/.gitignore
+++ b/.gitignore
@@ -108,3 +108,8 @@ dmypy.json
 config/
 .venv
 .pytest_logs.log
 node_modules
--- a/.python-version
+++ b/.python-version
@@ -1 +1 @@
-3.13.1
+3.14.2
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,128 @@
 # Contributor Covenant Code of Conduct
 ## Our Pledge
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
 identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
 We pledge to act and interact in ways that contribute to an open, welcoming,
 diverse, inclusive, and healthy community.
 ## Our Standards
 Examples of behavior that contributes to a positive environment for our
 community include:
 * Demonstrating empathy and kindness toward other people
 * Being respectful of differing opinions, viewpoints, and experiences
 * Giving and gracefully accepting constructive feedback
 * Accepting responsibility and apologizing to those affected by our mistakes,
  and learning from the experience
 * Focusing on what is best not just for us as individuals, but for the
  overall community
 Examples of unacceptable behavior include:
 * The use of sexualized language or imagery, and sexual attention or
  advances of any kind
 * Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or email
  address, without their explicit permission
 * Other conduct which could reasonably be considered inappropriate in a
  professional setting
 ## Enforcement Responsibilities
 Community leaders are responsible for clarifying and enforcing our standards of
 acceptable behavior and will take appropriate and fair corrective action in
 response to any behavior that they deem inappropriate, threatening, offensive,
 or harmful.
 Community leaders have the right and responsibility to remove, edit, or reject
 comments, commits, code, wiki edits, issues, and other contributions that are
 not aligned to this Code of Conduct, and will communicate reasons for moderation
 decisions when appropriate.
 ## Scope
 This Code of Conduct applies within all community spaces, and also applies when
 an individual is officially representing the community in public spaces.
 Examples of representing our community include using an official e-mail address,
 posting via an official social media account, or acting as an appointed
 representative at an online or offline event.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
 contact@christiaangoossens.nl (email).
 All complaints will be reviewed and investigated promptly and fairly.
 All community leaders are obligated to respect the privacy and security of the
 reporter of any incident.
 ## Enforcement Guidelines
 Community leaders will follow these Community Impact Guidelines in determining
 the consequences for any action they deem in violation of this Code of Conduct:
 ### 1. Correction
 **Community Impact**: Use of inappropriate language or other behavior deemed
 unprofessional or unwelcome in the community.
 **Consequence**: A private, written warning from community leaders, providing
 clarity around the nature of the violation and an explanation of why the
 behavior was inappropriate. A public apology may be requested.
 ### 2. Warning
 **Community Impact**: A violation through a single incident or series
 of actions.
 **Consequence**: A warning with consequences for continued behavior. No
 interaction with the people involved, including unsolicited interaction with
 those enforcing the Code of Conduct, for a specified period of time. This
 includes avoiding interactions in community spaces as well as external channels
 like social media. Violating these terms may lead to a temporary or
 permanent ban.
 ### 3. Temporary Ban
 **Community Impact**: A serious violation of community standards, including
 sustained inappropriate behavior.
 **Consequence**: A temporary ban from any sort of interaction or public
 communication with the community for a specified period of time. No public or
 private interaction with the people involved, including unsolicited interaction
 with those enforcing the Code of Conduct, is allowed during this period.
 Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban
 **Community Impact**: Demonstrating a pattern of violation of community
 standards, including sustained inappropriate behavior,  harassment of an
 individual, or aggression toward or disparagement of classes of individuals.
 **Consequence**: A permanent ban from any sort of public interaction within
 the community.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 2.0, available at
 https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
 Community Impact Guidelines were inspired by [Mozilla's code of conduct
 enforcement ladder](https://github.com/mozilla/diversity).
 [homepage]: https://www.contributor-covenant.org
 For answers to common questions about this code of conduct, see the FAQ at
 https://www.contributor-covenant.org/faq. Translations are available at
 https://www.contributor-covenant.org/translations.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,119 @@
 # Contribution Guide
 Contibutions are very welcome!
 ## Non-code contributions
 If you are not a programmer, you can still contribute by:
 - Adding discussion items over at the [Discussions page](https://github.com/christiaangoossens/hass-oidc-auth/discussions) if you have a question, feature idea or a setup you would like to show off.
 - Helping others in issues and discussion posts.
 - Voting on polls and providing input.
 - If you want to, contributing financially through [Github Sponsors](https://github.com/sponsors/christiaangoossens)
 ## Code contributions
 You may also submit Pull Requests (PRs) to add features yourself! You can find a list that we are currently working on below. Please note that workflows will be run on your pull request and a pull request will only be merged when all checks pass and a review has been conducted (together with a manual test).
 ### Development
 This project uses the uv package manager for development. You can find installation instructions here: https://docs.astral.sh/uv/getting-started/installation/. Start by installing the dependencies using `uv sync` and then point your editor towards the environment created in the .venv directory.
 You can then run Home Assistant and put the `custom_components/auth_oidc` directory in your HA `config` folder.
 #### Other useful commands
 Some useful scripts are in the `scripts` directory. If you run Linux (or WSL under Windows), you can run these directly:
 - `scripts/check` will check your Python files for linting errors
 - `scripts/fix` will fix some formatting mistakes automatically
 You can also run these commands manually on Windows:
 ##### Compiling css
 To compile tailwind css styles for the pages you need the NodeJS and NPM installed.
 You can run the `npm run css` script to generate the css once and you can run the `npm run css:watch` to recompile the css every time the templates change
 ##### Check
 ```
 uv run ruff check
 uv run ruff format --check
 uv run pylint custom_components
 ```
 ##### Fix
 ```
 uv run ruff check --fix
 uv run ruff format
 ```
 ### Docker Compose Development Environment
 You can also use the following Docker Compose configuration to automatically start up the latest HA release with the `auth_oidc` integration:
 ```
 services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - ./config:/config
      - ./custom_components/auth_oidc:/config/custom_components/auth_oidc
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 8123:8123
 ```
 # Found a security issue?
 Please see [SECURITY.md](./SECURITY.md) for more information on how to submit your security issue securely. You can find previously found vulnerablities and their corresponding security advisories at the [Security Advisories page](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories).
 # Roadmap
 The following features are on the roadmap:
 ## Better user experience
 *Copied from https://github.com/christiaangoossens/hass-oidc-auth/issues/19*
 Current status on the user experience:
 - I cannot change the login screen as all of this is hard coded in the frontend code. So, I am stuck with the title of "Just checking" and without any description or even a title for the input box. Changing this would require a PR on the Home Assistant frontend repository.
  - If anyone can refactor their code to allow integrations (Auth Providers) to send custom translations to the frontend when sending the form (here: [custom_components/auth_oidc/provider.py, line 302](https://github.com/christiaangoossens/hass-oidc-auth/blob/main/custom_components/auth_oidc/provider.py#L302)), such that I can send custom translation keys for the title (instead of just using the `mfa` version), description and input label, I would be very happy to accept a PR here as well that accomplishes that.
  - Bonus points if it uses the same translation system you would use for any normal setup/config flow in the UI.
  - Extra bonus points if we can add a button or link besides it that allows for opening the start of the OIDC flow there too, within the description for instance.
 - I cannot redirect you to the start of the OIDC process yet, both on mobile and on desktop. Whenever [the PR](https://github.com/home-assistant/frontend/pull/23204) gets merged and a Home Assistant version that's includes the PR is released (or planned), I will hopefully be able to get something like that to work on desktop.
  - It likely will not work on mobile, as the PR that's now approved only does it for desktop, I tested mobile with that code 2 years ago and it didn't work. I will contact someone on the Android team to see if we can make that happen too at some point.
    - Mobile will need to open the `window.open` call using Android Custom Tab (Android) / SFSafariViewController (iOS) instead of the normal webview. It seems that external links didn't work at all when I tried it.
 PR's that improve the user experience are welcome, but they should be stable and preferably hack as little as possible.
 ## Tests
 The project still needs the following automated tests on every PR:
 - Spin up Home Assistant (both the required version from the `hacs.json` and the latest version) and verify that it starts up with no warnings or errors
 - Normal pytest unit testing (https://developers.home-assistant.io/docs/development_testing/)
  - You might be able to re-use some unit tests from the original implementation by @elupus: https://github.com/home-assistant/core/pull/32926 or from it's inspired work by @allenporter: https://github.com/allenporter/home-assistant-openid-auth-provider/tree/main/tests
 - Integration test that performs an automatic run-through of an entire flow with an example/mocked OIDC provider, either in Python code or using an external tool (such as Playwright)
 Together, these should test the following:
 - The integration registers correctly without any errors (spin-up test)
 - The integration works with both the minimum HA version as well as the latest HA version (spin-up test)
 - Configuration can be set without any errors (unit test)
 - Configuration has the correct effects (unit test)
 - Code works correctly on its own (unit test)
 - Full flow is functional and displays as expected, including integration with an external OIDC provider (integration test)
 Preferably, we run all tests on every PR to make manual testing unnecessary.
 ## Better configuration experience
 As a conclusion to the poll (https://github.com/christiaangoossens/hass-oidc-auth/discussions/6), it seems that the best option would be to keep the current YAML configuration for advanced uses and add a UI configuration for the common providers.
 I planned for the following user flow:
 1. Add integration in the HA UI
 2. Get config dialog with a selector for which OIDC provider you are using
 3. Preconfigure claim configuration using the chosen provider
 4. Have user input client id & discovery URL with an instruction to configure as public client
 5. (Optionally) allow users to choose confidential client and input client secret
 6. Check these fields by requesting the discovery, JWKS
 7. Ask user if they want to enable groups and allow them to input the correct group name for both roles
 8. (Optionally) allow users to enable user linking, explain the issues to them with leaving it enabled and allow disabling later
 9. Inform users that advanced options are only available in YAML, such as networking settings or specific claim configurations
 10. Have the user perform one login to check that all the fields are correct, just as any OAuth2 integration would, preferably using our oidc_provider
 11. Save the integration and request restart to enable it (if necessary)
 While I welcome adding configuration by UI, it's not at the top of my priority list. Ask me in the PR if you have any other suggestions and don't forget to add tests for this too. Existing YAML configuration should also remain unaffected, whenever possible.
--- a/FUNDING.yml
+++ b/FUNDING.yml
@@ -0,0 +1 @@
 github: christiaangoossens
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright 2024 Christiaan Goossens
+Copyright 2024-2025 Christiaan Goossens
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
--- a/README.md
+++ b/README.md
@@ -1,4 +1,45 @@
-# OIDC Auth for Home Assistant
+<!-- Based on the Best-README-template from https://github.com/christiaangoossens/hass-oidc-auth -->
 <a id="readme-top"></a>
 <div align="center">
 [![Stargazers][stars-shield]][stars-url]
 [![Issues][issues-shield]][issues-url]
 [![Contributors][contributors-shield]][contributors-url]
 [![Forks][forks-shield]][forks-url]
 [![MIT License][license-shield]][license-url]
 </div>
 <!-- PROJECT LOGO -->
 <br />
 <div align="center">
  <a href="https://github.com/christiaangoossens/hass-oidc-auth/">
    <img src="logo.png" alt="Logo" width="80" height="80">
  </a>
  <h3 align="center">OpenID Connect for Home Assistant</h3>
  <p align="center">
    OpenID Connect (OIDC) implementation for Home Assistant through a custom component/integration
    <br />
    <br />
    <a href="./docs/usage.md">Usage Guide</a>
    &middot;
    <a href="./docs/configuration.md">Configuration Guide</a>
    &middot;
    <a href="./CONTRIBUTING.md">Contribution Guide</a>
    <br />
    <br />
    <a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions?discussions_q=is%3Aopen+category%3AAnnouncements+category%3APolls">Announcements & Polls</a>
    &middot;
    <a href="https://github.com/christiaangoossens/hass-oidc-auth/issues">Issues</a>
    &middot;
    <a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions/categories/q-a">Questions</a>
    &middot;
    <a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions/categories/ideas">Feature Requests</a>
  </p>
 </div>
 > [!CAUTION]
 > This is an alpha release. I give no guarantees about code quality, error handling or security at this stage. Use at your own risk.
@@ -6,115 +47,60 @@
 Provides an OpenID Connect (OIDC) implementation for Home Assistant through a custom component/integration. Through this integration, you can create an SSO (single-sign-on) environment within your self-hosted application stack / homelab.
 ### Background
-If you would like to read the background/open letter that lead to this component, please see https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223. It is currently one of the most upvoted feature requests for Home Assistant.
+If you would like to read the background/open letter that lead to this component, you can find the original post at https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223. It is currently one of the most upvoted feature requests for Home Assistant.
-## How to use
+> [!TIP]
-### Installation
+> If you support the addition of this feature to the Home Assistant core, please upvote https://github.com/orgs/home-assistant/discussions/48. It's the successor of the Home Assistant Community post mentioned above (with almost 900 upvotes).
-Add this repository to [HACS](https://hacs.xyz/).
+## Installation guide
 1. Add this repository to [HACS](https://hacs.xyz/) (or search for "OpenID Connect" in HACS).
 [![Open your Home Assistant instance and open a repository inside the Home Assistant Community Store.](https://my.home-assistant.io/badges/hacs_repository.svg)](https://my.home-assistant.io/redirect/hacs_repository/?owner=christiaangoossens&repository=hass-oidc-auth&category=Integration)
-Update your `configuration.yaml` file with
+2. Add the YAML configuration that matches your OIDC provider to `configuration.yaml`. See the [Configuration Guide](./docs/configuration.md) for more details or pick your OIDC provider below:
    | <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" width="100"> | <img src="https://www.authelia.com/images/branding/logo-cropped.png" width="100"> | <img src="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d" width="100"> |
    |:-----------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------:|
    | [Authentik](./docs/provider-configurations/authentik.md)                                       | [Authelia](./docs/provider-configurations/authelia.md)                                     | [Pocket ID](./docs/provider-configurations/pocket-id.md)                                     |
    By default, the integration assumes you configure Home Assistant as a **public client** and thus only specify the `client_id` and no `client_secret`. For example, your configuration might look like:
    ```yaml
    auth_oidc:
-    client_id: ""
+        client_id: "example"
-    discovery_url: ""
+        discovery_url: "https://example.com/.well-known/openid-configuration"
    ```
-Register your client with your OIDC Provider (e.g. Authentik/Authelia) as a public client and get the client_id. Then, use the obtained client_id and discovery URLs to fill the fields in `configuration.yaml`.
+    When registering Home Assistant at your OIDC provider, use `<your HA URL>/auth/oidc/callback` as the callback URL and select 'public client'. You should now get the `client_id` and `issuer_url` or `discovery_url` to fill in.
-For example:
+3. Restart Home Assistant
 ```yaml
 auth_oidc:
    client_id: "someValueForTheClientId"
    discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
 ```
-Afterwards, restart Home Assistant. 
+4. Login through the OIDC Welcome URL at `<your HA URL>/auth/oidc/welcome`. You will have to go there manually for now. For example, it might be located at http://homeassistant.local:8123/auth/oidc/welcome.
-You can find all possible configuration options below.
+More (detailed) usage instructions can be found in the [Usage Guide](./docs/usage.md).
-### Login
+## Contributions
-You should now be able to see a second option on your login screen ("OpenID Connect (SSO)"). It provides you with a single input field.
+Contibutions are very welcome! If you program in Python or have worked with Home Assistant integrations before, please try to contribute. A list of requested contributions/future goals is in the [Contribution Guide](./CONTRIBUTING.md).
-To start, go to one of to one of these URLs (you may also set these as application URLs in your OIDC Provider):
+Please see the [Contribution Guide](./CONTRIBUTING.md) for more information.
 - `/auth/oidc/welcome` (if you would like a nice welcome screen for your users)
 - `/auth/oidc/redirect` (if you would like to just redirect them without a welcome screen)
-So, for example, you may start at http://homeassistant.local:8123/auth/oidc/welcome.
+### Found a security issue?
 Please see [SECURITY.md](./SECURITY.md) for more information on how to submit your security issue securely. You can find previously found vulnerablities and their corresponding security advisories at the [Security Advisories page](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories).
-> [!TIP]
+## License
-> You can use a different device to login instead. Open the `/auth/oidc/welcome` link on device A and then type the obtained code into the normal HA login on device B (can also be the mobile app) to login.
+Distributed under the MIT license with no warranty. You are fully liable for configuring this integration correctly to keep your Home Assistant installation secure. Use at your own risk. The full license can be found in [LICENSE.md](./LICENSE.md)
 > [!TIP]
 > For a seamless user experience, configure a new domain on your proxy to redirect to the `/auth/oidc/welcome` path or configure that path on your homelab dashboard or in Authentik. Users will then always start on the OIDC welcome page, which will allow them to visit the dashboard if they are already logged in.
-With the default configuration, [a person entry](https://www.home-assistant.io/integrations/person/) will be created for every new OIDC user logging in. New OIDC users will get their own fresh user, linked to their persistent ID (subject) at the OpenID Connect provider. You may change your name, username or email at the provider and still have the same Home Assistant user profile.
+<!-- MARKDOWN LINKS & IMAGES -->
-
+<!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
-### Configuration Options
+[contributors-shield]: https://img.shields.io/github/contributors/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
-
+[contributors-url]: https://github.com/christiaangoossens/hass-oidc-auth/graphs/contributors
-| Option                      | Type     | Required | Default             | Description                                                                                             |
+[forks-shield]: https://img.shields.io/github/forks/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
-|-----------------------------|----------|----------|----------------------|---------------------------------------------------------------------------------------------------------|
+[forks-url]: https://github.com/christiaangoossens/hass-oidc-auth/network/members
-| `client_id`                 | `string` | Yes      |                      | The Client ID as registered with your OpenID Connect provider.                                        |
+[stars-shield]: https://img.shields.io/github/stars/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
-| `client_secret`            | `string` | No       |                      | The Client Secret for enabling confidential client mode.                                             |
+[stars-url]: https://github.com/christiaangoossens/hass-oidc-auth/stargazers
-| `discovery_url`            | `string` | Yes      |                      | The OIDC well-known configuration URL.                                                                |
+[issues-shield]: https://img.shields.io/github/issues/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
-| `display_name`              | `string` | No       | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen.                                                                |
+[issues-url]: https://github.com/christiaangoossens/hass-oidc-auth/issues
-| `id_token_signing_alg`       | `string` | No       | `RS256`              | The signing algorithm that is used for your id_tokens.
+[license-shield]: https://img.shields.io/github/license/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
-| `features.automatic_user_linking`   | `boolean`| No       | `false`          | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login.     |
+[license-url]: https://github.com/christiaangoossens/hass-oidc-auth/blob/master/LICENSE.txt
 | `features.automatic_person_creation` | `boolean` | No       | `true`          | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users.                                            |
 | `features.disable_rfc7636`  | `boolean`| No       | `false`         | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers.                                    |
 | `claims.display_name`      | `string` | No       | `name`                     | The claim to use to obtain the display name.
 | `claims.username`         | `string` | No       | `preferred_username`                     | The claim to use to obtain the username.
 | `claims.groups`            | `string` | No       | `groups`                     | The claim to use to obtain the user's group(s). |
 | `roles.admin`            | `string` | No       | `admins`                     | Group name to require for users to get the 'admin' role in Home Assistant. Defaults to 'admins', the default group name for admins in Authentik. Doesn't do anything if no groups claim is found in your token. |
 | `roles.user`            | `string` | No       |                     | Group name to require for users to get the 'user' role in Home Assistant. Defaults to giving all users this role, unless configured. |
 #### Example: Migrating from HA username/password users to OIDC users
 If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):
 ```yaml
 auth_oidc:
    client_id: "someValueForTheClientId"
    discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
    features:
        automatic_user_linking: true
 ```
 Upon login, OIDC users will then automatically be linked to the HA user with the same username.
 > [!IMPORTANT]
 > It's recommended to only enable this temporarily as it may pose a security risk. Any OIDC user with a username corresponding to a user in Home Assistant can get access to that user, and it's existing rights (admin), even if MFA is currently enabled for that account. After you have migrated your users (and linked OIDC to all existing accounts) you can disable the feature and keep using the linked users.
 ## Development
 This project uses the Rye package manager for development. You can find installation instructions here: https://rye.astral.sh/guide/installation/.
 Start by installing the dependencies using `rye sync` and then point your editor towards the environment created in the `.venv` directory.
 ### Help wanted
 If you have any tips or would like to contribute, send me a message. You are also welcome to contribute a PR to fix any of the TODOs.
 Currently, this is a pre-alpha, so I welcome issues but I cannot guarantee I can fix them (at least within a reasonable time). Please turn on watch for this repository to remain updated. When the component is in a beta stage, issues will likely get fixed more frequently.
 ### TODOs
 - [X] Basic flow
 - [X] Implement a final link back to the main page from the finish page
 - [X] Improve welcome screen UI, should render a simple centered Tailwind UI instructing users that you should login externally to obtain a code.
 - [X] Improve finish screen UI, showing the code clearly with instructions to paste it into Home Assistant.
 - [X] Implement error handling on top of this proof of concept (discovery, JWKS, OIDC)
 - [X] Make id_token claim used for the group (admin/user) configurable
 - [X] Make id_token claim used for the username configurable
 - [X] Make id_token claim used for the name configurable
 - [ ] Add instructions on how to deploy this with Authentik & Authelia
 - [X] Configure Github Actions to automatically lint and build the package
 - [ ] Configure Dependabot for automatic updates
 - [ ] Configure tests
 - [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6)
 Currently waiting on HA feature additions:
 - [ ] Update the HA frontend code to allow a redirection to be requested from an auth provider instead of manually opening welcome page (possibly after https://github.com/home-assistant/frontend/pull/23204)
 - [ ] Implement this redirection logic to open a new tab on desktop (#23204 uses popup)
 - [ ] Implement this redirection logic to open a Android Custom Tab (Android) / SFSafariViewController (iOS), instead of opening the link in the HA webview
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
 # Reporting Security Issues
 With the nature of the integration, security issues and bugs are taken very seriously. I appreciate your efforts to responsibly disclose your findings and I will acknowledge your finding in the security advisory and release notes of the release that fixes your vulnerability. Together, we will keep the Home Assistant community safe.
 To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories/new) tab. **Do not make a public issue for your security vulnerability!**
 I (@christiaangoossens) will review security advisories regularly and send you a response indicating next steps in handling your report. This might include fixing the vulnerability before disclosing its nature, or working together in a private branch on a fix.
 Please note that this repository is maintained on a volunteer basis, I will try to respond quickly, but no guarantees.
 If your bug has to do with a third party package, please have it fixed there first, such that we can include a fixed version in an update of hass-oidc-auth.
 If you found a security vulnerability in Home Assistant itself, please report it at https://www.home-assistant.io/security/
 ## Non qualifying vulnerabities
 Some vulnerabilities do not qualify for fixing in a security patch. The Home Assistant team has made a list of them over at https://www.home-assistant.io/security/#non-qualifying-vulnerabilities.
--- a/custom_components/auth_oidc/init.py
+++ b/custom_components/auth_oidc/init.py
@@ -4,6 +4,7 @@ import logging
 from typing import OrderedDict
 from homeassistant.core import HomeAssistant
 from homeassistant.components.http import StaticPathConfig
 # Import and re-export config schema explictly
 # pylint: disable=useless-import-alias
@@ -16,9 +17,14 @@ from .config import (
    DISCOVERY_URL,
    DISPLAY_NAME,
    ID_TOKEN_SIGNING_ALGORITHM,
    GROUPS_SCOPE,
    ADDITIONAL_SCOPES,
    FEATURES,
    CLAIMS,
    ROLES,
    NETWORK,
    FEATURES_INCLUDE_GROUPS_SCOPE,
    FEATURES_FORCE_HTTPS,
 )
 # pylint: enable=useless-import-alias
@@ -36,6 +42,13 @@ _LOGGER = logging.getLogger(__name__)
 async def async_setup(hass: HomeAssistant, config):
    """Add the OIDC Auth Provider to the providers in Home Assistant"""
    if DOMAIN not in config:
        _LOGGER.warning(
            "Setup was triggered, but no configuration was found. "
            + "Did you downgrade from 0.7+ without deleting the OIDC UI configuration?"
        )
        return False
    my_config = config[DOMAIN]
    providers = OrderedDict()
@@ -51,10 +64,29 @@ async def async_setup(hass: HomeAssistant, config):
    _LOGGER.info("Registered OIDC provider")
-    # We only use openid, profile & groups, never email
+    # Set the correct scopes
-    scope = "openid profile groups"
+    # Always use 'openid' & 'profile' as they are specified in the OIDC spec
    # All servers should support this
    scope = "openid profile"
    # Include groups if requested (default is to include 'groups'
    # as a scope for Authelia & Authentik)
    features_config = my_config.get(FEATURES, {})
    include_groups_scope = features_config.get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
    groups_scope = my_config.get(GROUPS_SCOPE, "groups")
    if include_groups_scope:
        scope += " " + groups_scope
    # Add additional scopes if configured
    additional_scopes = my_config.get(ADDITIONAL_SCOPES, [])
    if additional_scopes:
        # Ensure we have a space before adding additional scopes
        if scope:
            scope += " "
        scope += " ".join(additional_scopes)
    # Create the OIDC client
    oidc_client = oidc_client = OIDCClient(
        hass=hass,
        discovery_url=my_config.get(DISCOVERY_URL),
        client_id=my_config.get(CLIENT_ID),
        scope=scope,
@@ -63,16 +95,28 @@ async def async_setup(hass: HomeAssistant, config):
        features=my_config.get(FEATURES, {}),
        claims=my_config.get(CLAIMS, {}),
        roles=my_config.get(ROLES, {}),
        network=my_config.get(NETWORK, {}),
    )
    # Register the views
    name = config[DOMAIN].get(DISPLAY_NAME, DEFAULT_TITLE)
    force_https = features_config.get(FEATURES_FORCE_HTTPS, False)
    hass.http.register_view(OIDCWelcomeView(name))
-    hass.http.register_view(OIDCRedirectView(oidc_client))
+    hass.http.register_view(OIDCRedirectView(oidc_client, force_https))
-    hass.http.register_view(OIDCCallbackView(oidc_client, provider))
+    hass.http.register_view(OIDCCallbackView(oidc_client, provider, force_https))
    hass.http.register_view(OIDCFinishView())
    await hass.http.async_register_static_paths(
        [
            StaticPathConfig(
                "/auth/oidc/static/style.css",
                hass.config.path("custom_components/auth_oidc/static/style.css"),
                cache_headers=False,
            ),
        ]
    )
    _LOGGER.info("Registered OIDC views")
    return True
--- a/custom_components/auth_oidc/config.py
+++ b/custom_components/auth_oidc/config.py
@@ -7,10 +7,14 @@ CLIENT_SECRET = "client_secret"
 DISCOVERY_URL = "discovery_url"
 DISPLAY_NAME = "display_name"
 ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
 GROUPS_SCOPE = "groups_scope"
 ADDITIONAL_SCOPES = "additional_scopes"
 FEATURES = "features"
 FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
 FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
 FEATURES_DISABLE_PKCE = "disable_rfc7636"
 FEATURES_INCLUDE_GROUPS_SCOPE = "include_groups_scope"
 FEATURES_FORCE_HTTPS = "force_https"
 CLAIMS = "claims"
 CLAIMS_DISPLAY_NAME = "display_name"
 CLAIMS_USERNAME = "username"
@@ -19,6 +23,10 @@ ROLES = "roles"
 ROLE_ADMINS = "admin"
 ROLE_USERS = "user"
 NETWORK = "network"
 NETWORK_TLS_VERIFY = "tls_verify"
 NETWORK_TLS_CA_PATH = "tls_ca_path"
 DEFAULT_TITLE = "OpenID Connect (SSO)"
 DOMAIN = "auth_oidc"
@@ -37,6 +45,12 @@ CONFIG_SCHEMA = vol.Schema(
                # Should we enforce a specific signing algorithm on the id tokens?
                # Defaults to RS256/RSA-pubkey
                vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str),
                # String value to allow changing the groups scope
                # Defaults to 'groups' which is used by Authelia and Authentik
                vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str),
                # Additional scopes to request from the OIDC provider
                # Optional, this field is unnecessary if you only use the openid and profile scopes.
                vol.Optional(ADDITIONAL_SCOPES, default=[]): vol.Coerce(list[str]),
                # Which features should be enabled/disabled?
                # Optional, defaults to sane/secure defaults
                vol.Optional(FEATURES): vol.Schema(
@@ -52,6 +66,14 @@ CONFIG_SCHEMA = vol.Schema(
                        # Feature flag to disable PKCE to support OIDC servers that do not
                        # allow additional parameters and don't support RFC 7636
                        vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
                        # Boolean which activates and deactivates scope 'groups'
                        vol.Optional(
                            FEATURES_INCLUDE_GROUPS_SCOPE, default=True
                        ): vol.Coerce(bool),
                        # Force HTTPS on all generated URLs (like redirect_uri)
                        vol.Optional(FEATURES_FORCE_HTTPS, default=False): vol.Coerce(
                            bool
                        ),
                    }
                ),
                # Determine which specific claims will be used from the id_token
@@ -78,6 +100,17 @@ CONFIG_SCHEMA = vol.Schema(
                        vol.Optional(ROLE_ADMINS): vol.Coerce(str),
                    }
                ),
                # Network options
                vol.Optional(NETWORK): vol.Schema(
                    {
                        # Verify x509 certificates provided when starting TLS connections
                        vol.Optional(NETWORK_TLS_VERIFY, default=True): vol.Coerce(
                            bool
                        ),
                        # Load custom certificate chain for private CAs
                        vol.Optional(NETWORK_TLS_CA_PATH): vol.Coerce(str),
                    }
                ),
            }
        )
    },
--- a/custom_components/auth_oidc/endpoints/callback.py
+++ b/custom_components/auth_oidc/endpoints/callback.py
@@ -17,10 +17,14 @@ class OIDCCallbackView(HomeAssistantView):
    name = "auth:oidc:callback"
    def __init__(
-        self, oidc_client: OIDCClient, oidc_provider: OpenIDAuthProvider
+        self,
        oidc_client: OIDCClient,
        oidc_provider: OpenIDAuthProvider,
        force_https: bool,
    ) -> None:
        self.oidc_client = oidc_client
        self.oidc_provider = oidc_provider
        self.force_https = force_https
    async def get(self, request: web.Request) -> web.Response:
        """Receive response."""
@@ -38,7 +42,7 @@ class OIDCCallbackView(HomeAssistantView):
            )
            return web.Response(text=view_html, content_type="text/html")
-        redirect_uri = get_url("/auth/oidc/callback")
+        redirect_uri = get_url("/auth/oidc/callback", self.force_https)
        user_details = await self.oidc_client.async_complete_token_flow(
            redirect_uri, code, state
        )
@@ -63,4 +67,6 @@ class OIDCCallbackView(HomeAssistantView):
            return web.Response(text=view_html, content_type="text/html")
        code = await self.oidc_provider.async_save_user_info(user_details)
-        return web.HTTPFound(get_url("/auth/oidc/finish?code=" + code))
+        return web.HTTPFound(
            get_url("/auth/oidc/finish?code=" + code, self.force_https)
        )
--- a/custom_components/auth_oidc/endpoints/finish.py
+++ b/custom_components/auth_oidc/endpoints/finish.py
@@ -41,7 +41,7 @@ class OIDCFinishView(HomeAssistantView):
        # Return redirect to the main page for sign in with a cookie
        return web.HTTPFound(
-            location="/",
+            location="/?storeToken=true",
            headers={
                # Set a cookie to enable autologin on only the specific path used
                # for the POST request, with all strict parameters set
--- a/custom_components/auth_oidc/endpoints/redirect.py
+++ b/custom_components/auth_oidc/endpoints/redirect.py
@@ -17,17 +17,21 @@ class OIDCRedirectView(HomeAssistantView):
    url = PATH
    name = "auth:oidc:redirect"
-    def __init__(self, oidc_client: OIDCClient) -> None:
+    def __init__(self, oidc_client: OIDCClient, force_https: bool) -> None:
        self.oidc_client = oidc_client
        self.force_https = force_https
    async def get(self, _: web.Request) -> web.Response:
        """Receive response."""
-        redirect_uri = get_url("/auth/oidc/callback")
+        try:
            redirect_uri = get_url("/auth/oidc/callback", self.force_https)
            auth_url = await self.oidc_client.async_get_authorization_url(redirect_uri)
            if auth_url:
-            return web.HTTPFound(auth_url)
+                raise web.HTTPFound(auth_url)
        except RuntimeError:
            pass
        view_html = await get_view(
            "error",
--- a/custom_components/auth_oidc/helpers.py
+++ b/custom_components/auth_oidc/helpers.py
@@ -4,12 +4,14 @@ from homeassistant.components import http
 from .views.loader import AsyncTemplateRenderer
-def get_url(path: str) -> str:
+def get_url(path: str, force_https: bool) -> str:
    """Returns the requested path appended to the current request base URL."""
    if (req := http.current_request.get()) is None:
        raise RuntimeError("No current request in context")
    base_uri = str(req.url).split("/auth", 2)[0]
    if force_https:
        base_uri = base_uri.replace("http://", "https://")
    return f"{base_uri}{path}"
--- a/custom_components/auth_oidc/manifest.json
+++ b/custom_components/auth_oidc/manifest.json
@@ -9,15 +9,15 @@
    "auth",
    "http"
  ],
-  "documentation": "https://github.com/christiaangoossens/hass-oidc-auth",
+  "documentation": "https://github.com/christiaangoossens/hass-oidc-auth/blob/v0.6.4-alpha/docs/configuration.md",
  "integration_type": "service",
  "iot_class": "calculated",
  "issue_tracker": "https://github.com/christiaangoossens/hass-oidc-auth/issues",
  "requirements": [
-    "python-jose>=3.3.0",
+    "aiofiles",
-    "aiofiles>=24.1.0",
+    "jinja2",
-    "jinja2>=3.1.4",
+    "bcrypt",
-    "bcrypt>=4.2.0"
+    "joserfc"
  ],
-  "version": "0.4.1"
+  "version": "0.6.5"
 }
--- a/custom_components/auth_oidc/oidc_client.py
+++ b/custom_components/auth_oidc/oidc_client.py
@@ -5,9 +5,12 @@ import logging
 import os
 import base64
 import hashlib
 import ssl
 from typing import Optional
 from functools import partial
 import aiohttp
-from jose import jwt, jwk
+from joserfc import jwt, jwk, jws, errors as joserfc_errors
 from homeassistant.core import HomeAssistant
 from .types import UserDetails
 from .config import (
@@ -17,6 +20,8 @@ from .config import (
    CLAIMS_GROUPS,
    ROLE_ADMINS,
    ROLE_USERS,
    NETWORK_TLS_VERIFY,
    NETWORK_TLS_CA_PATH,
 )
 _LOGGER = logging.getLogger(__name__)
@@ -42,10 +47,27 @@ class OIDCStateInvalid(OIDCClientException):
    "Raised when the state for your request cannot be matched against a stored state."
 class OIDCUserinfoInvalid(OIDCClientException):
    "Raised when the user info is invalid or cannot be obtained."
 class OIDCIdTokenSigningAlgorithmInvalid(OIDCTokenResponseInvalid):
    "Raised when the id_token is signed with the wrong algorithm, adjust your config accordingly."
 class HTTPClientError(aiohttp.ClientResponseError):
    "Raised when the HTTP client encounters not OK (200) status code."
    body: str
    def __init__(self, *args, **kwargs):
        self.body = kwargs.pop("body")
        super().__init__(*args, **kwargs)
    def __str__(self):
        return f"{self.status} ({self.message}) with response body: {self.body}"
 # pylint: disable=too-many-instance-attributes
 class OIDCClient:
    """OIDC Client implementation for Python, including PKCE."""
@@ -53,7 +75,18 @@ class OIDCClient:
    # Flows stores the state, code_verifier and nonce of all current flows.
    flows = {}
-    def __init__(self, discovery_url: str, client_id: str, scope: str, **kwargs: str):
+    # HTTP session to be used
    http_session: aiohttp.ClientSession = None
    def __init__(
        self,
        hass: HomeAssistant,
        discovery_url: str,
        client_id: str,
        scope: str,
        **kwargs: str,
    ):
        self.hass = hass
        self.discovery_url = discovery_url
        self.discovery_document = None
        self.client_id = client_id
@@ -70,13 +103,41 @@ class OIDCClient:
        features = kwargs.get("features")
        claims = kwargs.get("claims")
        roles = kwargs.get("roles")
        network = kwargs.get("network")
-        self.disable_pkce: bool = features.get(FEATURES_DISABLE_PKCE)
+        self.disable_pkce = features.get(FEATURES_DISABLE_PKCE, False)
        self.display_name_claim = claims.get(CLAIMS_DISPLAY_NAME, "name")
        self.username_claim = claims.get(CLAIMS_USERNAME, "preferred_username")
        self.groups_claim = claims.get(CLAIMS_GROUPS, "groups")
        self.user_role = roles.get(ROLE_USERS, None)
        self.admin_role = roles.get(ROLE_ADMINS, "admins")
        self.tls_verify = network.get(NETWORK_TLS_VERIFY, True)
        self.tls_ca_path = network.get(NETWORK_TLS_CA_PATH)
    def __del__(self):
        """Cleanup the HTTP session."""
        # HA never seems to run this, but it's good practice to close the session
        if self.http_session:
            _LOGGER.debug("Closing HTTP session")
            self.http_session.close()
    async def http_raise_for_status(self, response: aiohttp.ClientResponse) -> None:
        """Raises an exception if the response is not OK."""
        if not response.ok:
            # reason should always be not None for a started response
            assert response.reason is not None
            body = await response.text()
            raise HTTPClientError(
                response.request_info,
                response.history,
                status=response.status,
                message=response.reason,
                headers=response.headers,
                body=body,
            )
    def _base64url_encode(self, value: str) -> str:
        """Uses base64url encoding on a given string"""
@@ -86,55 +147,97 @@ class OIDCClient:
        """Generates a random URL safe string (base64_url encoded)"""
        return self._base64url_encode(os.urandom(length))
    async def _get_http_session(self) -> aiohttp.ClientSession:
        """Create or get the existing client session with custom networking/TLS options"""
        if self.http_session is not None:
            return self.http_session
        _LOGGER.debug(
            "Creating HTTP session provider with options: "
            + "verify certificates: %r, custom CA file: %s",
            self.tls_verify,
            self.tls_ca_path,
        )
        tcp_connector_args = {"verify_ssl": self.tls_verify}
        if self.tls_ca_path:
            # Move to hass' executor to prevent blocking code inside non-blocking method
            ssl_context = await self.hass.loop.run_in_executor(
                None, partial(ssl.create_default_context, cafile=self.tls_ca_path)
            )
            tcp_connector_args["ssl"] = ssl_context
        self.http_session = aiohttp.ClientSession(
            connector=aiohttp.TCPConnector(**tcp_connector_args)
        )
        return self.http_session
    async def _fetch_discovery_document(self):
        """Fetches discovery document from the given URL."""
        try:
-            async with aiohttp.ClientSession() as session:
+            session = await self._get_http_session()
            async with session.get(self.discovery_url) as response:
-                    response.raise_for_status()
+                await self.http_raise_for_status(response)
                return await response.json()
-        except aiohttp.ClientResponseError as e:
+        except HTTPClientError as e:
            if e.status == 404:
                _LOGGER.warning(
                    "Error: Discovery document not found at %s", self.discovery_url
                )
            else:
-                _LOGGER.warning("Error: %s - %s", e.status, e.message)
+                _LOGGER.warning("Error fetching discovery: %s", e)
            raise OIDCDiscoveryInvalid from e
    async def _get_jwks(self, jwks_uri):
        """Fetches JWKS from the given URL."""
        try:
-            async with aiohttp.ClientSession() as session:
+            session = await self._get_http_session()
            async with session.get(jwks_uri) as response:
-                    response.raise_for_status()
+                await self.http_raise_for_status(response)
                return await response.json()
-        except aiohttp.ClientResponseError as e:
+        except HTTPClientError as e:
-            _LOGGER.warning("Error fetching JWKS: %s - %s", e.status, e.message)
+            _LOGGER.warning("Error fetching JWKS: %s", e)
            raise OIDCJWKSInvalid from e
    async def _make_token_request(self, token_endpoint, query_params):
        """Performs the token POST call"""
        try:
-            async with aiohttp.ClientSession() as session:
+            session = await self._get_http_session()
            async with session.post(token_endpoint, data=query_params) as response:
-                    response.raise_for_status()
+                await self.http_raise_for_status(response)
                return await response.json()
-        except aiohttp.ClientResponseError as e:
+        except HTTPClientError as e:
            if e.status == 400:
                _LOGGER.warning(
-                    "Error: Token could not be obtained (Bad Request), "
+                    "Error: Token could not be obtained (%s, %s), "
-                    + "did you forget the client_secret?"
+                    + "did you forget the client_secret? Server returned: %s",
                    e.status,
                    e.message,
                    e.body,
                )
            else:
-                _LOGGER.warning(
+                _LOGGER.warning("Unexpected error exchanging token: %s", e)
-                    "Unexpected error exchanging token: %s - %s", e.status, e.message
+
                )
            raise OIDCTokenResponseInvalid from e
-    async def _parse_id_token(
+    async def _get_userinfo(self, userinfo_uri, access_token):
-        self, id_token: str, access_token: str | None
+        """Fetches userinfo from the given URL."""
-    ) -> Optional[dict]:
+        try:
            session = await self._get_http_session()
            headers = {"Authorization": "Bearer " + access_token}
            async with session.get(userinfo_uri, headers=headers) as response:
                await self.http_raise_for_status(response)
                return await response.json()
        except HTTPClientError as e:
            _LOGGER.warning("Error fetching userinfo: %s", e)
            raise OIDCUserinfoInvalid from e
    async def _parse_id_token(self, id_token: str) -> Optional[dict]:
        """Parses the ID token into a dict containing token contents."""
        if self.discovery_document is None:
            self.discovery_document = await self._fetch_discovery_document()
@@ -144,7 +247,8 @@ class OIDCClient:
        try:
            # Obtain the id_token header
-            unverified_header = jwt.get_unverified_header(id_token)
+            token_obj = jws.extract_compact(id_token.encode())
            unverified_header = token_obj.protected
            if not unverified_header:
                _LOGGER.warning("Could not get header from received id_token.")
                return None
@@ -173,7 +277,7 @@ class OIDCClient:
                    )
                    raise OIDCIdTokenSigningAlgorithmInvalid()
-                jwk_obj = jwk.construct(
+                jwk_obj = jwk.import_key(
                    {
                        "kty": "oct",
                        "k": base64.urlsafe_b64encode(
@@ -201,10 +305,14 @@ class OIDCClient:
                    _LOGGER.warning("Could not find matching key with kid: %s", kid)
                    return None
-                # Construct the JWK from the RSA key
+                # If signing_key does not have alg, set it to the one passed in the token
-                jwk_obj = jwk.construct(signing_key)
+                if "alg" not in signing_key:
                    signing_key["alg"] = alg
-            # Verify the token
+                # Construct the JWK from the RSA key
                jwk_obj = jwk.import_key(signing_key)
            # Decode the token, decode does not verify it
            decoded_token = jwt.decode(
                id_token,
                jwk_obj,
@@ -213,48 +321,31 @@ class OIDCClient:
                # according to JWS [JWS] using the algorithm specified in the JWT
                # alg Header Parameter.
                algorithms=[self.id_token_signing_alg],
            )
            # Create Claims Registry for validation
            id_token_validator = jwt.JWTClaimsRegistry(
                leeway=5,
                # OpenID Connect Core 1.0 Section 3.1.3.7.3
                # The Client MUST validate that the aud (audience) Claim contains
                # its client_id value registered at the Issuer identified by the
                # iss (issuer) Claim as an audience.
-                audience=self.client_id,
+                aud={"essential": True, "value": self.client_id},
                # OpenID Connect Core 1.0 Section 3.1.3.7.2
                # The Issuer Identifier for the OpenID Provider MUST exactly
                # match the value of the iss (issuer) Claim.
-                issuer=self.discovery_document["issuer"],
+                iss={"essential": True, "value": self.discovery_document["issuer"]},
                access_token=access_token,
                options={
                    # Verify everything if present
                    "verify_signature": True,
                    "verify_aud": True,
                    "verify_iat": True,
                    "verify_exp": True,
                    "verify_nbf": True,
                    "verify_iss": True,
                    "verify_sub": True,
                    "verify_jti": True,
                    "verify_at_hash": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.3
                    "require_aud": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.10
                    "require_iat": True,
                # OpenID Connect Core 1.0 Section 3.1.3.7.9
-                    "require_exp": True,
+                # OpenID Connect Core 1.0 Section 3.1.3.7.10
-                    # OpenID Connect Core 1.0 Section 3.1.3.7.2
+                # No need to specify exp, nbf, iat, they are in here by default
-                    "require_iss": True,
+                sub={"essential": True},
                    # We need the sub as it's used to identify the user
                    "require_sub": True,
                    # Other values, not required.
                    "require_nbf": False,
                    "require_jti": False,
                    "require_at_hash": False,
                    "leeway": 5,
                },
            )
            return decoded_token
-        except jwt.JWTError as e:
+            id_token_validator.validate(decoded_token.claims)
-            _LOGGER.warning("JWT Verification failed: %s", e)
+            return decoded_token.claims
        except joserfc_errors.JoseError as e:
            _LOGGER.warning("JWT verification failed: %s", e)
            return None
    async def async_get_authorization_url(self, redirect_uri: str) -> Optional[str]:
@@ -303,6 +394,57 @@ class OIDCClient:
            _LOGGER.warning("Error generating authorization URL: %s", e)
            return None
    async def parse_user_details(self, id_token: str, access_token: str) -> UserDetails:
        """Parses the ID token and/or userinfo into user details."""
        # Fetch userinfo if there is an userinfo_endpoint available
        # and use the data to supply the missing values in id_token
        if "userinfo_endpoint" in self.discovery_document:
            userinfo_endpoint = self.discovery_document["userinfo_endpoint"]
            userinfo = await self._get_userinfo(userinfo_endpoint, access_token)
            # Replace missing claims in the id_token with their userinfo version
            for claim in (
                self.groups_claim,
                self.display_name_claim,
                self.username_claim,
            ):
                if claim not in id_token and claim in userinfo:
                    id_token[claim] = userinfo[claim]
        # Get and parse groups (to check if it's an array)
        groups = id_token.get(self.groups_claim, [])
        if not isinstance(groups, list):
            _LOGGER.warning("Groups claim is not a list, using empty list instead.")
            groups = []
        # Assign role if user has the required groups
        role = "invalid"
        if self.user_role in groups or self.user_role is None:
            role = "system-users"
        if self.admin_role in groups:
            role = "system-admin"
        # Create a user details dict based on the contents of the id_token & userinfo
        return {
            # Subject Identifier. A locally unique and never reassigned identifier within the
            # Issuer for the End-User, which is intended to be consumed by the Client
            # Only unique per issuer, so we combine it with the issuer and hash it.
            # This might allow multiple OIDC providers to be used with this integration.
            "sub": hashlib.sha256(
                f"{self.discovery_document['issuer']}.{id_token.get('sub')}".encode(
                    "utf-8"
                )
            ).hexdigest(),
            # Display name, configurable
            "display_name": id_token.get(self.display_name_claim),
            # Username, configurable
            "username": id_token.get(self.username_claim),
            # Role
            "role": role,
        }
    async def async_complete_token_flow(
        self, redirect_uri: str, code: str, state: str
    ) -> Optional[UserDetails]:
@@ -341,11 +483,9 @@ class OIDCClient:
            )
            id_token = token_response.get("id_token")
            access_token = token_response.get("access_token")
            # Parse the id token to obtain the relevant details
-            # Access token is supplied to check at_hash if present
+            id_token = await self._parse_id_token(id_token)
            id_token = await self._parse_id_token(id_token, access_token)
            if id_token is None:
                _LOGGER.warning("ID token could not be parsed!")
@@ -359,40 +499,8 @@ class OIDCClient:
                _LOGGER.warning("Nonce mismatch!")
                return None
-            # TODO: If the configured claims are not present in id_token, we should fetch userinfo
+            access_token = token_response.get("access_token")
-
+            data = await self.parse_user_details(id_token, access_token)
            # Get and parse groups (to check if it's an array)
            groups = id_token.get(self.groups_claim, [])
            if not isinstance(groups, list):
                _LOGGER.warning("Groups claim is not a list, using empty list instead.")
                groups = []
            # Assign role if user has the required groups
            role = "invalid"
            if self.user_role in groups or self.user_role is None:
                role = "system-users"
            if self.admin_role in groups:
                role = "system-admin"
            # Create a user details dict based on the contents of the id_token & userinfo
            data: UserDetails = {
                # Subject Identifier. A locally unique and never reassigned identifier within the
                # Issuer for the End-User, which is intended to be consumed by the Client
                # Only unique per issuer, so we combine it with the issuer and hash it.
                # This might allow multiple OIDC providers to be used with this integration.
                "sub": hashlib.sha256(
                    f"{self.discovery_document['issuer']}.{id_token.get('sub')}".encode(
                        "utf-8"
                    )
                ).hexdigest(),
                # Display name, configurable
                "display_name": id_token.get(self.display_name_claim),
                # Username, configurable
                "username": id_token.get(self.username_claim),
                # Role
                "role": role,
            }
            # Log which details were obtained for debugging
            # Also log the original subject identifier such that you can look it up in your provider
@@ -403,5 +511,5 @@ class OIDCClient:
            )
            return data
        except OIDCClientException as e:
-            _LOGGER.warning("Error completing token flow: %s", e)
+            _LOGGER.warning("Failed to complete token flow, returning None. (%s)", e)
            return None
--- a/custom_components/auth_oidc/static/input.css
+++ b/custom_components/auth_oidc/static/input.css
@@ -0,0 +1,3 @@
@import "tailwindcss";
@source "../views/templates";
--- a/custom_components/auth_oidc/static/style.css
+++ b/custom_components/auth_oidc/static/style.css
--- a/custom_components/auth_oidc/views/loader.py
+++ b/custom_components/auth_oidc/views/loader.py
@@ -54,7 +54,9 @@ class AsyncTemplateRenderer:
        if template_name not in templates:
            raise ValueError(f"Template '{template_name}' not found.")
-        env = Environment(loader=DictLoader(templates), enable_async=True)
+        env = Environment(
            loader=DictLoader(templates), enable_async=True, autoescape=True
        )
        template = env.get_template(template_name)
        # Render template
--- a/custom_components/auth_oidc/views/templates/base.html
+++ b/custom_components/auth_oidc/views/templates/base.html
@@ -6,7 +6,7 @@
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>{% block title %}{% endblock %}</title>
-    <script src="https://cdn.tailwindcss.com"></script>
+    <link rel="stylesheet" href="/auth/oidc/static/style.css">
    {% endblock %}
 </head>
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -0,0 +1,166 @@
 # Configuration methods
 Currently, the only available configuration method is YAML in your `configuration.yaml` file. In the future, we will also add limited UI configuration for the most common configurations (Authentik, Authelia and Pocket-ID). Advanced users will need to use the YAML configuration in any case.
 # YAML Configuration
 For now, this integration is configured using YAML in your `configuration.yaml` file. By default, only two fields are required:
 ```yaml
 auth_oidc:
  client_id: ""
  discovery_url: ""
 ```
 The default settings assume that you configure Home Assistant as a **public client**, without a client secret. If so, you should only need to provide the `client_id` from your OIDC provider and it's discovery URL (ending in `.well-known/openid-configuration`).
 You don't have to configure other settings in most cases, as they have secure defaults set. If your provider requires manually configuring the callback URL, use `<your HA URL>/auth/oidc/callback`.
 ## Provider Configurations
 Here are some documentation links for specific providers that you may want to follow:
 * [Authentik](./provider-configurations/authentik.md)
 * [Authelia](./provider-configurations/authelia.md)
 * [Pocket ID](./provider-configurations/pocket-id.md)
 * [Kanidm](./provider-configurations/kanidm.md)
 * [Microsoft Entra ID](./provider-configurations/microsoft-entra.md)
 _Missing a provider? Submit your guide using a PR._
 ## Common Configurations
 ### Configuring Client Secret
 If you want to configure Home Assistant as a **confidential client**, you should provide the client secret as well. An example configuration might look like this:
 ```yaml
 auth_oidc:
  client_id: ""
  client_secret: !secret oidc_client_secret
  discovery_url: ""
 ```
 You should use the Home Assistant secrets helper (`!secret`) to make sure you store secrets securely. See https://www.home-assistant.io/docs/configuration/secrets/ for more information.
 > [!IMPORTANT]  
 > Most users will not experience any benefits from using a confidential client, as using properly configured redirect URLs + PKCE already provides enough security in a home setting and using a client secret introduces the risk of it getting lost/stolen/put on the internet. Do not use a confidential setup if you don't know what you are doing.
 ### Configuring roles & scopes or OIDC settings
 If your provider isn't listed above, you might want to configure OIDC settings yourself. Here's an example configuration for that use case:
 ```yaml
 auth_oidc:
  client_id: ""
  discovery_url: ""
  id_token_signing_alg: <HS256, RS256, ES256, ...>
  groups_scope: <groups scope>
  claims:
    display_name: <display name claim from your provider>
    username: <username claim from your provider>
    groups: <groups claim from your provider>
  roles:
    admin: <group name to use for admins>
    user: <group name to use for users>
 ```
 If you configure the user role, OIDC users that have neither configured group name will be rejected! If you configure the admin role, users with that role will receive administrator rights in Home Assistant automatically upon login.
 ### Configuring a display name for your OIDC provider
 If you would like to change the default name on the OIDC welcome screen and Home Assistant login screens from `OpenID Connect (SSO)` to your own display name, you can set the `display_name` configuration property.
 ```yaml
 auth_oidc:
  client_id: ""
  discovery_url: ""
  display_name: "Example"
 ```
 This will show the provider on the login screen as: "Login with Example".
 ### Forcing HTTPS
 First check if you are setting the header `X-Forwarded-Proto` in your proxy and if the [proxy settings for Home Assistant](https://www.home-assistant.io/integrations/http/#use_x_forwarded_for) are configured correctly. You should also check if IP addresses in your logs actually match the origin IP (instead of proxy IP). If you cannot find any mistakes, you may use the following config option to force HTTPS regardless:
 ```yaml
 auth_oidc:
  features:
     force_https: true
 ```
 ### Disabling registration for new users
 This integration does not allow disabling registration for new users, as there is no way to abort registration that late in the process while providing a good user experience.
 You can however set both roles to groups that only contain certain users or to a non-existant group.
 ```yaml
 auth_oidc:
  roles:
     user: "non_existent"
     admin: "admins"
 ```
 Note that if you put both on non-existent groups, no users will be able to login.
 ### Migrating from HA username/password users to OIDC users
 If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):
 ```yaml
 auth_oidc:
  client_id: "someValueForTheClientId"
  discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
  features:
    automatic_user_linking: true
 ```
 Upon login, OIDC users will then automatically be linked to the HA user with the same username. It's recommended to **only enable this temporarily** as it may pose a security risk. You should disable it after linking all your users, as existing links will still work if you disable it, but no new links will be created.
 > [!CAUTION]
 > Any OIDC user with a username corresponding to a user in Home Assistant can get access to that user and all its rights/configuration.
 > [!CAUTION]
 > MFA is ignored when using this setting, thus bypassing any MFA configuration the user has originally configured, as long as the username is an exact match. This is dangerous if you are not aware of it!
 ### Using a private certificate authority
 If you use a private certificate authority to secure your OIDC provider, you must configure the root certificates of your private certificate authority. Otherwise you will get an error (`[SSL: CERTIFICATE_VERIFY_FAILED]`) when connecting to the OIDC provider.
 You can either make the CA known to the entire operating system or configure only this component to use the CA. If you want to only use your private CA with this integration, you can specify it via `network.tls_ca_path`:
 ```yaml
 auth_oidc:
  network:
    tls_ca_path: /path/to/private-ca.pem
 ```
 If you want to deactivate the validation of all TLS certificates for test purposes, you can do this via `network.tls_verify: false`:
 ```yaml
 auth_oidc:
  network:
    tls_verify: false
 ```
 > [!CAUTION]
 > Do not disable `tls_verify` in a production setting or when your Home Assistant installation is exposed outside of your network. If disabled, man-in-the-middle attacks can be used to change the provider configuration to allow fake tokens to be used.
 ## All configuration Options
 Here's a table of all options that you can set:
 | Option                      | Type     | Required | Default             | Description                                                                                             |
 |-----------------------------|----------|----------|----------------------|---------------------------------------------------------------------------------------------------------|
 | `client_id`                 | `string` | Yes      |                      | The Client ID as registered with your OpenID Connect provider.                                        |
 | `client_secret`            | `string` | No       |                      | The Client Secret for enabling confidential client mode.                                             |
 | `discovery_url`            | `string` | Yes      |                      | The OIDC well-known configuration URL.                                                                |
 | `display_name`              | `string` | No       | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen.                                                                |
 | `id_token_signing_alg`       | `string` | No       | `RS256`              | The signing algorithm that is used for your id_tokens.
 | `groups_scope`  | `string` | No       | `groups`           | Override the default grups scope with another scope of your choice. |
 | `additional_scopes`|`list of strings`| No        | `empty list`    | Add additional scopes to request for custom identity provider configurations in addition to the automatic `openid` and `profile` scopes and the `groups_scope` configuration option |
 | `features.automatic_user_linking`   | `boolean`| No       | `false`          | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login.     |
 | `features.automatic_person_creation` | `boolean` | No       | `true`          | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users.                                            |
 | `features.disable_rfc7636`  | `boolean`| No       | `false`         | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers.                                    |
 | `features.include_groups_scope`  | `boolean` | No       | `true`           | Include the 'groups' scope in the OIDC request. Set to `false` to exclude it. |
 | `features.force_https`  | `boolean` | No       | `false`           | Set to `true` to force all URLs generated to use `https` instead of automatically determining based on the request scheme or `X-Forwarded-Proto`. |
 | `claims.display_name`      | `string` | No       | `name`                     | The claim to use to obtain the display name.
 | `claims.username`         | `string` | No       | `preferred_username`                     | The claim to use to obtain the username.
 | `claims.groups`            | `string` | No       | `groups`                     | The claim to use to obtain the user's group(s). |
 | `roles.admin`            | `string` | No       | `admins`                     | Group name to require for users to get the 'admin' role in Home Assistant. Defaults to 'admins', the default group name for admins in Authentik. Doesn't do anything if no groups claim is found in your token. |
 | `roles.user`            | `string` | No       |                     | Group name to require for users to get the 'user' role in Home Assistant. Defaults to giving all users this role, unless configured. |
 | `network.tls_verify`         | `boolean` | No       | `true`                     | Verify TLS certificate. You may want to set this set to `false` when testing locally. |
 | `network.tls_ca_path`            | `string` | No       |                       | Path to file containing a private certificate authority chain. |
--- a/docs/provider-configurations/authelia.md
+++ b/docs/provider-configurations/authelia.md
@@ -0,0 +1,69 @@
 # Authelia
 ## Public client configuration
 > [!NOTE]  
 > This configuration strictly requires a HTTPS redirect uri.
 Authelia `configuration.yml`
 ```yaml
 identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'homeassistant'
        client_name: 'Home Assistant'
        public: true
        require_pkce: true
        pkce_challenge_method: 'S256'
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://hass.example.com/auth/oidc/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
        id_token_signed_response_alg: 'RS256'
 ```
 Home Assistant `configuration.yaml`
 ```yaml
 auth_oidc:
    client_id: "homeassistant"
    discovery_url: "https://auth.example.com/.well-known/openid-configuration"
 ```
 ## Confidential client configuration:
 Authelia `configuration.yml`
 ```yaml
 identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'homeassistant'
        client_name: 'Home Assistant'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        require_pkce: true
        pkce_challenge_method: 'S256'
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://hass.example.com/auth/oidc/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
        id_token_signed_response_alg: 'RS256'
        token_endpoint_auth_method: 'client_secret_post'
 ```
 Home Assistant `configuration.yaml`
 ```yaml
 auth_oidc:
  client_id: "homeassistant"
  client_secret: "insecure_secret"
  discovery_url: "https://auth.example.com/.well-known/openid-configuration"
 ```
--- a/docs/provider-configurations/authentik.md
+++ b/docs/provider-configurations/authentik.md
@@ -0,0 +1,40 @@
 # Authentik
 ## Public client configuration
 Under construction.
 ## Confidential client configuration
 1. From the admin interface, go to `Applications > Providers` and click on `Create`
 2. Select `OAuth2/OpenID Provider` and click `Next`
 3. Fill the following details:
    - Name: `Home Assistant Provider`
    - Authorization flow: `default-provider-authorization-explicit-consent`
    - Client type: `Confidential`
    - Client ID: `homeassistant`
    - Client Secret: **Copy this value**
    - Redirect URIs/Origins: Click on `Add entry` (You can use either DNS, Internal/External IP or localhost)
        - Strict: https://hass.example.com/auth/oidc/callback
 4. Click `Finish` to save the provider configuration
 5. Open the created Provider 
 6. On the Assigned to application section click on `Create`:
    - Name: `Home Assistant`
    - Slug: `home-assistant`
    - Provider: `Home Assistant Provider`
    Then save the configuration
 ## Home Assistant configuration
 > [!IMPORTANT]  
 > For HTTPS configuration make sure to have a public valid SSL certificate (i.e. LetsEncrypt), if not, use HTTP instead (more insecure) or add your Authentik CA certificate to `network.tls_ca_path`.
 After installing this HACS addon, edit your `configuration.yaml` file and add:
 ```yaml
 auth_oidc:
  client_id: "homeassistant"
  client_secret: "client_secret"
  discovery_url: "https://auth.example.com/application/o/home-assistant/.well-known/openid-configuration"
 ```
 Restart Home Assistant and go to https://hass.example.com/auth/oidc/welcome
--- a/docs/provider-configurations/kanidm.md
+++ b/docs/provider-configurations/kanidm.md
@@ -0,0 +1,145 @@
 # Kanidm
 ## Public client configuration
 [Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
 ```yaml
 auth_oidc:
  client_id: "homeassistant"
  discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
  features:
    automatic_person_creation: true
  id_token_signing_alg: "ES256"
  roles:
    admin: "homeassistant_admins@idm.example.org"
    user: "idm_all_persons@idm.example.org"
 ```
 [Kanidm](https://github.com/kanidm/kanidm)
 1. Create your Kanidm account, if you don't have one already:
 ```shell
 kanidm person create "your_username" "Your Username" --name "idm_admin"
 ```
 2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
 ```shell
 kanidm group create "homeassistant_admins" --name "idm_admin"
 kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
 ```
 3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
 ```shell
 kanidm system oauth2 create-public "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
 kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
 kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
 ```
 [Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
 ```jsonc
 {
  "groups": {
    "homeassistant_admins": {
      "members": ["your_username"]
    }
  },
  "persons": {
    "your_username": {
      "displayName": "Your Username"
    },
  },
  "systems": {
    "oauth2": {
      "homeassistant": {
        "displayName": "Home Assistant",
        "originLanding": "https://hass.example.org/auth/oidc/welcome",
        "originUrl": "https://hass.example.org/auth/oidc/callback",
        "public": true,
        "scopeMaps": {
          "homeassistant_users": ["email", "groups", "openid", "profile"]
        }
      }
    }
  }
 }
 ```
 ## Confidential client configuration
 [Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
 ```yaml
 auth_oidc:
  client_id: "homeassistant"
  client_secret: !secret oidc_client_secret
  discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
  features:
    automatic_person_creation: true
  id_token_signing_alg: "ES256"
  roles:
    admin: "homeassistant_admins@idm.example.org"
    user: "idm_all_persons@idm.example.org"
 ```
 [Kanidm](https://github.com/kanidm/kanidm)
 1. Create your Kanidm account, if you don't have one already:
 ```shell
 kanidm person create "your_username" "Your Username" --name "idm_admin"
 ```
 2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
 ```shell
 kanidm group create "homeassistant_admins" --name "idm_admin"
 kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
 ```
 3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
 ```shell
 kanidm system oauth2 create "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
 kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
 kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
 ```
 4. Get the `homeassistant` OAuth2 client secret from Kanidm:
 ```shell
 kanidm system oauth2 show-basic-secret "homeassistant" --name "idm_admin" | xargs echo 'oidc_client_secret: {}' | tee --append "/var/lib/hass/secrets.yaml"
 ```
 [Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
 ```jsonc
 {
  "groups": {
    "homeassistant_admins": {
      "members": ["your_username"]
    }
  },
  "persons": {
    "your_username": {
      "displayName": "Your Username"
    },
  },
  "systems": {
    "oauth2": {
      "homeassistant": {
        "displayName": "Home Assistant",
        "originLanding": "https://hass.example.org/auth/oidc/welcome",
        "originUrl": "https://hass.example.org/auth/oidc/callback",
        "scopeMaps": {
          "homeassistant_users": ["email", "groups", "openid", "profile"]
        }
      }
    }
  }
 }
 ```
--- a/docs/provider-configurations/microsoft-entra.md
+++ b/docs/provider-configurations/microsoft-entra.md
@@ -0,0 +1,51 @@
 # Microsoft Entra ID
 > [!WARNING]  
 > Microsoft Entra ID does not support public clients that are not Single Page Applications (SPA's). Therefore, you will have to use a client secret.
 ## Basic configuration
 1. Go to app registrations in Entra ID.
 2. Create a new app, use the "Web" type for the redirect URI and fill in your URL: `<ha url>/auth/oidc/callback`. Note that you either have to use localhost, or HTTPS.
 3. Copy the 'Application (client) ID' on the overview page of your app and use it as your `client_id`.
 4. Create the discovery URL:
   -  If you selected 'own tenant only' use the 'Directory (tenant) ID' on the overview page of your app and create the discovery URL using: `https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration`.
   - If you selected any Azure AD account (would not recommend this) or also personal accounts, use `https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration`.
 5. Go to Certificates & Secrets and create a client secret. Make sure to copy the 'Value' and not the Secret ID. Use this value for `client_secret` in the HA config.
    - Make sure to renew this secret in time. It will expire in two years.
 6. Go to API Permissions and click 'Add permission'. Add the `openid` and `profile` permissions from Microsoft Graph. You can remove `User.Read`.
 Now configure Home Assistant with the following:
 ```
 auth_oidc:
   client_id: < client id from the 'Application (client) ID field' >
   discovery_url: < discovery URL you made in step 4 >
   client_secret: < client seret from step 5 >
   features:
      include_groups_scope: False
 ```
 > [!CAUTION]
 > Be careful! Configuring Entra ID wrong may leave your Home Assistant install open for anyone with a Microsoft account. Please use "Single tenant" account types only. Do not enable "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" or personal account modes without enabling the mode to only allow specific accounts first!
 ## Configuring user roles
 If you like to configure the Home Assistant users roles based on your Entra ID settings, you have to create 2 roles within your Entra ID app registration.
 Go to "App registrations" and select app roles. Create two new roles for admins and users, giving them sensible names and values (the example uses `users` and `admins`), that you will need later in your HA configuration.
 <img width="1205" height="965" alt="Entra-HA-Roles" src="https://github.com/user-attachments/assets/568a1526-0607-4f88-945f-7c4f1fcc0ac2" />
 Then you need to create the users and assign them a role of your choice.
 Go to "Enterprise apps" chose your app registration again and select "Users and groups" within the manage section. Add users, or groups from your tenant or AD-sync and assign them a role, from the ones you created before.
 <img width="1112" height="570" alt="Entra-HA-Users" src="https://github.com/user-attachments/assets/13a49cee-798b-4b53-8fee-d2792ccd7763" />
 Last thing to do is to include
 ```
  claims:
    groups: "roles"
  roles:
    admin: "admins"
    user: "users"
 ```
 in your auth_oidc config, where the roles values correspond to the ones you chose in your Entra ID roles.
 Make sure, you keep the "include_groups_scope: False" from the basic configuration, as the claim needed for Entra ID is "roles".
 Newly created users will get the role assigned in Entra ID, but there is no update to user roles. A user created with user role in HA will not get the admin role, if you change the assignment later on in Entra ID.
--- a/docs/provider-configurations/pocket-id.md
+++ b/docs/provider-configurations/pocket-id.md
@@ -0,0 +1,58 @@
 # Pocket ID
 ## Public client configuration
 ### Pocket ID configuration
 1. Login to Pocket ID and go to `OIDC Clients`
 2. Click on `Add OIDC Client`
 3. Fill the following details:
    - Name: `Home Assistant`
    - Callback URLs: `<your-homeassistant-url>/auth/oidc/callback` (for example: https://hass.example.com/auth/oidc/callback)
    - Click on `Public Client` (PKCE will be automatically marked when doing this)
 4. Click on `Save`
 5. Click on `Show more details` and note down your `Client ID` and `OIDC Discovery URL` since you will need them later.
 ### Home Assistant configuration
 1. Add following configuration in Home Assistant's configuration.yaml:
 ```yaml
 auth_oidc:
  client_id: <The Client ID you have noted down> 
  discovery_url: <The OIDC Discovery URL you have noted down> (for example: https://id.example.com/.well-known/openid-configuration)
 ```
 2. Restart Home Assistant and go to your Home Assistant OIDC URL (for example: https://hass.example.com/auth/oidc/welcome)
 ## Confidential client configuration
 ### Pocket ID configuration
 1. Login to Pocket ID and go to `OIDC Clients`
 2. Click on `Add OIDC Client`
 3. Fill the following details:
    - Name: `Home Assistant`
    - Callback URLs: `<your-homeassistant-url>/auth/oidc/callback` (for example: https://hass.example.com/auth/oidc/callback)
 4. Click on `Save`
 5. Click on `Show more details` and note down your:
    - `Client ID`
    - `Client secret`
    - `OIDC Discovery URL`
 ### Home Assistant configuration
 1. Add following configuration in Home Assistant's configuration.yaml:
 ```yaml
 auth_oidc:
  client_id: <The Client ID you have noted down>
  client_secret: <The Client secret you have noted down>
  discovery_url: <The OIDC Discovery URL you have noted down> (for example: https://id.example.com/.well-known/openid-configuration)
 ```
 2. Restart Home Assistant and go to your Home Assistant OIDC URL (for example: https://hass.example.com/auth/oidc/welcome)
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -0,0 +1,84 @@
 # How do I use the OIDC Integration for Home Assistant?
 Here's a step by step guide to use the integration:
 ### Step 1: HACS
 Install the integration through [HACS](https://hacs.xyz/). You can add it automatically using the button below, or use the Github URL and type `Integration` in the manual Custom Repository add dialog.
 [![Open your Home Assistant instance and open a repository inside the Home Assistant Community Store.](https://my.home-assistant.io/badges/hacs_repository.svg)](https://my.home-assistant.io/redirect/hacs_repository/?owner=christiaangoossens&repository=hass-oidc-auth&category=Integration)
 ### Step 2: Configuration of the integration
 The integration is currently configurable through YAML only. See the [Configuration Guide](./configuration.md) for more details or pick your OIDC provider below (additional providers are available in the Configuration Guide):
 | <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" width="100"> | <img src="https://www.authelia.com/images/branding/logo-cropped.png" width="100"> | <img src="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d" width="100"> |
 |:-----------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------:|
 | [Authentik](./provider-configurations/authentik.md)                                       | [Authelia](./provider-configurations/authelia.md)                                     | [Pocket ID](./provider-configurations/pocket-id.md)                                     |
 By default, the integration assumes you configure Home Assistant as a **public client** and thus only specify the `client_id` and no `client_secret`. For example, your configuration might look like:
 ```yaml
 auth_oidc:
  client_id: "example"
  discovery_url: "https://example.com/.well-known/openid-configuration"
 ```
 When registering Home Assistant at your OIDC provider, use `<your HA URL>/auth/oidc/callback` as the callback URL and select 'public client'. You should now get the `client_id` and `issuer_url` or `discovery_url` to fill in.
 ### Step 3: Restart
 Restart Home Assistant. You can do so by going to the Reparations/Update section in Home Assistant.
 ### Step 4: Go to the OIDC login screen
 After restarting Home Assistant, you should now be able to get to the login screen. You can find it at `<your HA URL>/auth/oidc/welcome`. You will have to go there manually for now. For example, it might be located at http://homeassistant.local:8123/auth/oidc/welcome.
 It should look like this:
 ![image](https://github.com/user-attachments/assets/7320b7d3-b9f9-4268-ba1f-4deb0c6805ea)
 If you have configured everything correctly, you should be redirected to your OIDC Provider after clicking the button. Please login there.
 You should return to a screen like this:
 ![image](https://github.com/user-attachments/assets/d9c305bd-4a93-4a97-ae55-dba6361d92c8)
 Either click the automatic sign in button or copy the code.
 This screen will give you a one-time code to login that expires in 5 minutes.
 #### Step 4a: Automatic login
 If you would like to login automatically, click the button. It will log you in to your user in the current browser window.
 #### Step 4b: Code login
 If you would like to login using the code, go to your normal Home Assistant URL without any user logged in, such as on your mobile device/wall tablet/smart watch. You will now see the following screen:
 ![image](https://github.com/user-attachments/assets/4ed2b408-53e4-429e-920a-7628ddbcfc02)
 If you don't, you likely see:
 ![image](https://github.com/user-attachments/assets/80629c60-793e-4933-8b45-283234798ffb)
 If so, click "OpenID Connect (SSO)" to get to the first screen. If you have configured a [display name](./configuration.md#configuring-a-display-name-for-your-oidc-provider), that will show instead.
 Enter your code into the single input field:
 ![image](https://github.com/user-attachments/assets/f031a41c-5a85-44b8-8517-3feabaa44fd5)
 Upon clicking login, you should now login.
 If the code is wrong, you will see this instead:
 ![image](https://github.com/user-attachments/assets/317d20e4-0e10-40f7-bb68-5cf456faf87d)
 #### Step 5: Logged in
 You will be logged in after following this guide.
 With the default configuration, [a person entry](https://www.home-assistant.io/integrations/person/) will be created for every new OIDC user logging in. New OIDC users will get their own fresh user, linked to their persistent ID (subject) at the OpenID Connect provider. You may change your name, username or email at the provider and still have the same Home Assistant user profile.
 # How can I make this easier for my users?
 You can link the user directly to one of these following URLs:
 - `/auth/oidc/welcome` (if you would like a nice welcome screen for your users)
 - `/auth/oidc/redirect` (if you would like to just redirect them without a welcome screen)
 For a seamless user experience, configure a new domain on your proxy to redirect to the `/auth/oidc/welcome` path or configure that path on your homelab dashboard or in your OIDC provider (such as in the app settings in Authentik). Users will then always start on the OIDC welcome page, which will allow them to visit the dashboard if they are already logged in.
 *Note: do not replace the standard path with a redirect to the OIDC screen. This breaks login with code.*
--- a/hacs.json
+++ b/hacs.json
@@ -2,5 +2,5 @@
    "name": "OpenID Connect",
    "hide_default_branch": true,
    "render_readme": true,
-    "homeassistant": "2024.12"
+    "homeassistant": "2025.08"
 }
--- a/logo.png
+++ b/logo.png
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -0,0 +1,11 @@
 {
  "name": "hass-oidc-auth",
  "scripts": {
    "css": "tailwindcss -i ./custom_components/auth_oidc/static/input.css -o ./custom_components/auth_oidc/static/style.css --minify",
    "css:watch": "tailwindcss -i ./custom_components/auth_oidc/static/input.css -o ./custom_components/auth_oidc/static/style.css --watch --minify"
  },
  "dependencies": {
    "@tailwindcss/cli": "^4.1.14",
    "tailwindcss": "^4.1.14"
  }
 }
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,30 +1,33 @@
 [project]
 name = "hass-oidc-auth"
-version = "0.4.1"
+version = "0.6.4"
 description = "OIDC component for Home Assistant"
 authors = [
    { name = "Christiaan Goossens", email = "contact@christiaangoossens.nl" }
 ]
 license = "MIT"
 dependencies = [
-    "python-jose>=3.3.0",
+    "aiofiles~=25.1",
-    "aiofiles>=24.1.0",
+    "jinja2~=3.1",
-    "jinja2>=3.1.4",
+    "bcrypt~=5.0",
-    "bcrypt>=4.2.0",
+    "joserfc~=1.6.0",
 ]
 readme = "README.md"
-requires-python = ">= 3.13"
+requires-python = "~=3.14.2"
 [dependency-groups]
 dev = [
    "homeassistant~=2026.1",
    "pylint~=4.0",
    "ruff~=0.12",
 ]
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
-[tool.rye]
+[tool.uv]
 managed = true
 dev-dependencies = [
    "homeassistant~=2024.12",
    "pylint~=3.3",
 ]
 [tool.hatch.metadata]
 allow-direct-references = true
@@ -32,11 +35,5 @@ allow-direct-references = true
 [tool.hatch.build.targets.wheel]
 packages = ["custom_components/auth_oidc"]
-[tool.rye.scripts]
+[tool.ruff]
-check = { chain = ["check-lint", "check-fmt", "check-pylint" ] }
+target-version = "py313"
 "check-lint" = "rye lint"
 "check-fmt" = "rye fmt --check"
 "check-pylint" = "pylint custom_components"
 fix = { chain = ["fix-lint", "fix-fmt" ] }
 "fix-lint" = "rye lint --fix"
 "fix-fmt" = "rye fmt"
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,49 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
        "config:recommended"
    ],
    "schedule": [
        "every weekend"
    ],
    "vulnerabilityAlerts": {
        "groupName": "vulnerabilityAlerts",
        "enabled": true,
        "schedule": [
            "after 6am and before 6pm"
        ],
        "prCreation": "immediate"
    },
    "lockFileMaintenance": {
        "enabled": true
    },
    "packageRules": [
        {
            "description": "Group all GitHub Actions updates",
            "matchDatasources": [
                "github-actions",
                "github-tags",
                "github-runners"
            ],
            "groupName": "Github Actions Updates",
            "automerge": true
        },
        {
            "description": "Version updates for Home Assistant packages",
            "groupName": "Home Assistant Update",
            "matchPackageNames": [
                "homeassistant",
                "jinja2",
                "bcrypt"
            ],
            "automerge": false
        },
        {
            "description": "Version updates for other Python packages",
            "matchDatasources": [
                "pypi"
            ],
            "automerge": false
        }
    ]
 }
--- a/requirements-dev.lock
+++ b/requirements-dev.lock
@@ -1,286 +0,0 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 acme==3.0.1
    # via hass-nabucasa
 aiodns==3.2.0
    # via homeassistant
 aiofiles==24.1.0
    # via hass-oidc-auth
 aiohappyeyeballs==2.4.4
    # via aiohttp
 aiohasupervisor==0.2.1
    # via homeassistant
 aiohttp==3.11.11
    # via aiohasupervisor
    # via aiohttp-cors
    # via aiohttp-fast-zlib
    # via hass-nabucasa
    # via homeassistant
    # via snitun
 aiohttp-cors==0.7.0
    # via homeassistant
 aiohttp-fast-zlib==0.2.0
    # via homeassistant
 aiooui==0.1.7
    # via bluetooth-adapters
 aiosignal==1.3.2
    # via aiohttp
 aiozoneinfo==0.2.1
    # via homeassistant
 anyio==4.7.0
    # via httpx
 astral==2.2
    # via homeassistant
 astroid==3.3.8
    # via pylint
 async-interrupt==1.2.0
    # via habluetooth
    # via homeassistant
 async-timeout==5.0.1
    # via snitun
 atomicwrites-homeassistant==1.4.1
    # via hass-nabucasa
    # via homeassistant
 attrs==24.2.0
    # via aiohttp
    # via hass-nabucasa
    # via homeassistant
    # via snitun
 audioop-lts==0.2.1
    # via homeassistant
    # via standard-aifc
 awesomeversion==24.6.0
    # via homeassistant
 bcrypt==4.2.0
    # via hass-oidc-auth
    # via homeassistant
 bleak==0.22.3
    # via bleak-retry-connector
    # via bluetooth-adapters
    # via habluetooth
 bleak-retry-connector==3.6.0
    # via habluetooth
 bluetooth-adapters==0.20.2
    # via bleak-retry-connector
    # via bluetooth-auto-recovery
    # via habluetooth
 bluetooth-auto-recovery==1.4.2
    # via habluetooth
 bluetooth-data-tools==1.20.0
    # via habluetooth
 boto3==1.35.87
    # via pycognito
 botocore==1.35.87
    # via boto3
    # via s3transfer
 btsocket==0.3.0
    # via bluetooth-auto-recovery
 certifi==2024.12.14
    # via homeassistant
    # via httpcore
    # via httpx
    # via requests
 cffi==1.17.1
    # via cryptography
    # via pycares
 charset-normalizer==3.4.0
    # via requests
 ciso8601==2.3.1
    # via hass-nabucasa
    # via homeassistant
 cryptography==43.0.1
    # via acme
    # via bluetooth-data-tools
    # via hass-nabucasa
    # via homeassistant
    # via josepy
    # via pyjwt
    # via pyopenssl
    # via securetar
    # via snitun
 dbus-fast==2.24.4
    # via bleak
    # via bleak-retry-connector
    # via bluetooth-adapters
 dill==0.3.9
    # via pylint
 ecdsa==0.19.0
    # via python-jose
 envs==1.4
    # via pycognito
 fnv-hash-fast==1.0.2
    # via homeassistant
 fnvhash==0.1.0
    # via fnv-hash-fast
 frozenlist==1.5.0
    # via aiohttp
    # via aiosignal
 h11==0.14.0
    # via httpcore
 habluetooth==3.6.0
    # via home-assistant-bluetooth
 hass-nabucasa==0.86.0
    # via homeassistant
 home-assistant-bluetooth==1.13.0
    # via homeassistant
 homeassistant==2024.12.5
 httpcore==1.0.7
    # via httpx
 httpx==0.27.2
    # via homeassistant
 idna==3.10
    # via anyio
    # via httpx
    # via requests
    # via yarl
 ifaddr==0.2.0
    # via homeassistant
 isort==5.13.2
    # via pylint
 jinja2==3.1.4
    # via hass-oidc-auth
    # via homeassistant
 jmespath==1.0.1
    # via boto3
    # via botocore
 josepy==1.14.0
    # via acme
 lru-dict==1.3.0
    # via homeassistant
 markupsafe==3.0.2
    # via jinja2
 mashumaro==3.15
    # via aiohasupervisor
    # via webrtc-models
 mccabe==0.7.0
    # via pylint
 multidict==6.1.0
    # via aiohttp
    # via yarl
 orjson==3.10.12
    # via aiohasupervisor
    # via homeassistant
    # via webrtc-models
 packaging==24.2
    # via homeassistant
 pillow==11.0.0
    # via homeassistant
 platformdirs==4.3.6
    # via pylint
 propcache==0.2.1
    # via aiohttp
    # via homeassistant
    # via yarl
 psutil==6.1.1
    # via psutil-home-assistant
 psutil-home-assistant==0.0.1
    # via homeassistant
 pyasn1==0.6.1
    # via python-jose
    # via rsa
 pycares==4.5.0
    # via aiodns
 pycognito==2024.5.1
    # via hass-nabucasa
 pycparser==2.22
    # via cffi
 pyjwt==2.10.1
    # via hass-nabucasa
    # via homeassistant
    # via pycognito
 pylint==3.3.3
 pyopenssl==24.2.1
    # via acme
    # via homeassistant
    # via josepy
 pyrfc3339==2.0.1
    # via acme
 pyric==0.1.6.3
    # via bluetooth-auto-recovery
 python-dateutil==2.9.0.post0
    # via botocore
 python-jose==3.3.0
    # via hass-oidc-auth
 python-slugify==8.0.4
    # via homeassistant
 pytz==2024.2
    # via acme
    # via astral
 pyyaml==6.0.2
    # via homeassistant
 requests==2.32.3
    # via acme
    # via homeassistant
    # via pycognito
 rsa==4.9
    # via python-jose
 s3transfer==0.10.4
    # via boto3
 securetar==2024.11.0
    # via homeassistant
 setuptools==75.6.0
    # via acme
 six==1.17.0
    # via ecdsa
    # via python-dateutil
 sniffio==1.3.1
    # via anyio
    # via httpx
 snitun==0.39.1
    # via hass-nabucasa
 sqlalchemy==2.0.36
    # via homeassistant
 standard-aifc==3.13.0
    # via homeassistant
 standard-chunk==3.13.0
    # via standard-aifc
 standard-telnetlib==3.13.0
    # via homeassistant
 text-unidecode==1.3
    # via python-slugify
 tomlkit==0.13.2
    # via pylint
 typing-extensions==4.12.2
    # via homeassistant
    # via mashumaro
    # via sqlalchemy
 tzdata==2024.2
    # via aiozoneinfo
 uart-devices==0.1.0
    # via bluetooth-adapters
 ulid-transform==1.0.2
    # via homeassistant
 urllib3==1.26.20
    # via botocore
    # via homeassistant
    # via requests
 usb-devices==0.4.5
    # via bluetooth-adapters
    # via bluetooth-auto-recovery
 uv==0.5.4
    # via homeassistant
 voluptuous==0.15.2
    # via homeassistant
    # via voluptuous-openapi
    # via voluptuous-serialize
 voluptuous-openapi==0.0.5
    # via homeassistant
 voluptuous-serialize==2.6.0
    # via homeassistant
 webrtc-models==0.3.0
    # via hass-nabucasa
    # via homeassistant
 yarl==1.18.3
    # via aiohasupervisor
    # via aiohttp
    # via homeassistant
--- a/requirements.lock
+++ b/requirements.lock
@@ -1,31 +0,0 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 aiofiles==24.1.0
    # via hass-oidc-auth
 bcrypt==4.2.1
    # via hass-oidc-auth
 ecdsa==0.19.0
    # via python-jose
 jinja2==3.1.5
    # via hass-oidc-auth
 markupsafe==3.0.2
    # via jinja2
 pyasn1==0.6.1
    # via python-jose
    # via rsa
 python-jose==3.3.0
    # via hass-oidc-auth
 rsa==4.9
    # via python-jose
 six==1.17.0
    # via ecdsa
--- a/scripts/check
+++ b/scripts/check
@@ -0,0 +1,4 @@
 #! /bin/bash
 uv run ruff check
 uv run ruff format --check
 uv run pylint custom_components
--- a/scripts/fix
+++ b/scripts/fix
@@ -0,0 +1,3 @@
 #! /bin/bash
 uv run ruff check --fix
 uv run ruff format
--- a/scripts/sync
+++ b/scripts/sync
@@ -0,0 +1,2 @@
 #! /bin/bash
 uv sync --locked
--- a/uv.lock
+++ b/uv.lock
Author	SHA1	Message	Date
Christiaan Goossens	4e77b321fd	Bump to 0.6.5	2026-02-06 12:41:03 +01:00
Christiaan Goossens	b688cc872f	Detect misconfiguration on downgrade	2026-02-06 11:54:04 +01:00
Christiaan Goossens	2dea5c6b58	Reset min required HA	2026-02-06 11:44:41 +01:00
Christiaan Goossens	5465c1d213	Run correct workflows	2026-02-06 11:42:14 +01:00
Christiaan Goossens	759ea57bc8	Bump versions & dep maintenance	2026-02-06 11:40:37 +01:00
Andrew Garrett	a0e833ba69	Enable Jinja2 autoescaping (#200 ) - Enable Jinja2 autoescape by default in the template environment. - Use json.dumps to safely inject sso_name into JavaScript context. - Fix linting issue (line too long) in injected_auth_page.py. - Update tests to verify escaping and safe injection. --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: werdnum <271070+werdnum@users.noreply.github.com>	2026-02-06 11:38:01 +01:00
Tricked	9bf2372b7e	Use tailwind cli to compile css instead of tailwind cdn (#132 ) * implement feature * use npm instead of cli	2026-02-06 11:36:16 +01:00
Christiaan Goossens	653c716ea8	Fix 500 on redirect path (#201 ) * Fix 500 on redirect path Co-authored-by: anntnzrb <anntnzrb@proton.me>	2026-02-06 11:30:27 +01:00
Christiaan Goossens	f53c16b20e	Fix manifest json requirements (#152 )	2026-02-06 11:26:02 +01:00
Christiaan Goossens	d54046245f	Migrate to joserfc, remove python-jose (#150 )	2026-02-06 11:25:49 +01:00
Christiaan Goossens	951f85816d	Update doc URL	2025-08-30 13:20:27 +02:00
Christiaan Goossens	99603b4b25	Fix merge mistakes	2025-08-30 13:12:03 +02:00
Christiaan Goossens	6d32757829	Bump version to 0.6.3	2025-08-30 13:08:53 +02:00
renovate[bot]	833360a66d	chore(deps): update dependency homeassistant to v2025 (#115 ) * chore(deps): update dependency homeassistant to v2025 * Fix python version req --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Christiaan Goossens <contact@christiaangoossens.nl>	2025-08-30 13:06:17 +02:00
Christiaan Goossens	c821ac19f7	Fix renovate matcher (#116 )	2025-08-30 13:06:17 +02:00
renovate[bot]	e601a63a3d	chore(deps): update python docker tag to v3.13.7 (#111 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-08-30 13:06:17 +02:00
Christiaan Goossens	17a96da715	Switch to the newer uv package manager (#114 )	2025-08-30 13:06:17 +02:00
renovate[bot]	11b29f2f3b	chore(deps): update actions/checkout action to v5 (#112 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-08-30 13:06:17 +02:00
Evan Zhang	b1519b865d	Persist OIDC logins on HTTP refresh (#105 ) This relates to #70, where refreshing the webpage causes the user to need to login again, due to homeassistant not storing the user's session token `hassTokens`.	2025-08-30 13:06:17 +02:00
Rolf-M	7a31b10d0e	Update microsoft-entra.md (#96 ) * Update microsoft-entra.md Added configuration for role assignement with entra app-registration * Update microsoft-entra.md --------- Co-authored-by: Christiaan Goossens <9487666+christiaangoossens@users.noreply.github.com>	2025-08-30 13:06:17 +02:00
Christiaan Goossens	a6955e64a0	Add docs on disabling registration (#93 )	2025-08-30 13:06:17 +02:00
Christiaan Goossens	c217e46909	Allow forcing HTTPS in URL generation (#92 ) * Force HTTPS feature * Add docs	2025-08-30 13:06:17 +02:00
Christiaan Goossens	f614092af2	Add reference to searching in HACS (#90 )	2025-08-30 13:04:16 +02:00
Christiaan Goossens	4f29740fa0	remove brands ignore (#87 )	2025-08-30 13:04:16 +02:00
Seth	b4d5d7f2bf	Add Additional Scopes to Maximize Functionality from Custom idP (#80 ) * add additional scopes to config schema Keep original groups setting for backwards compatibility. * fix weird text issue * Add support for additional scopes in OIDC setup * fix compile error * Update documentation to include description of additional oidc scopes * clarify documentation	2025-07-09 09:55:37 +02:00
Christiaan Goossens	cb4d72a148	Update README.md (#75 )	2025-06-22 12:32:10 +02:00
Christiaan Goossens	be59c415a0	Add link to Github post for Feature Request (#74 )	2025-06-22 12:29:08 +02:00
Christiaan Goossens	ccd5fb2459	Cleanup the provider docs with new additions (#73 )	2025-06-15 13:52:33 +02:00
fruzitent	fbc47d11ef	docs(kanidm): add kanidm.md (#69 )	2025-06-15 12:54:43 +02:00
Merlijn	881a6cb0be	chore: use 2 space yaml (#61 ) and make clear that other id token signing algs are possible	2025-04-04 11:56:51 +02:00
Christiaan Goossens	178cd4df49	Fix issue in Authelia docs (#56 )	2025-03-03 17:49:46 +01:00
Martin Lavén	de321c8817	Pocket ID instructions (#55 ) * Update pocket-id.md Updated Public client configuration for Pocket ID * Update pocket-id.md Fixed formatting * Update pocket-id.md Updated Home Assistant URL and fixed formatting even more. * Update pocket-id.md continue to fix formatting * Update pocket-id.md * Update pocket-id.md Found the preview button :-) Hopefully last formatting commit. * Update pocket-id.md Added Confidential client configuration * Update pocket-id.md Fixed some formatting again	2025-03-03 17:44:32 +01:00
Christiaan Goossens	aaa977781c	Bump to 0.6.2 (#53 )	2025-02-21 19:46:59 +01:00
Christiaan Goossens	1fc4e0f21a	Fetch userinfo to supplement id_token claims (#50 ) Fetches the userinfo endpoint whenever available to supplement the id_token claims. --------- Co-authored-by: Luca Olivetti <luca@ventoso.org>	2025-02-17 22:55:11 +01:00
Christiaan Goossens	6e56311176	Fix compatibility with Microsoft Entra ID (#48 ) * Fixes necessary for Entra ID * Better error * Bump 0.6.1 * Also bump manifest * Linting	2025-02-16 11:29:24 +01:00
Christiaan Goossens	f24519787b	Change documentation to a better format (#25 ) Added new documentation style, added Authentik & Authelia examples. THank you Hendrik & Ivan! --------- Co-authored-by: Hendrik Sievers <89412959+hendrik1120@users.noreply.github.com> Co-authored-by: Ivan Vasquez <ivanvasquezp@outlook.com>	2025-02-15 14:18:20 +01:00
Christiaan Goossens	d565380435	Add groups scope option & fixup features.include_groups_scope (#42 )	2025-02-15 13:25:04 +01:00
Tom Kölsch	29a2545396	Add feature toggle to disable groups scope (#39 ) * Update README.md Ad two to dos: - bool for scopes - "groups" scope configurable * Update README.md - Add scope bool to configuration options * Final Update for making scope "groups" optinal README: Add scope bool to configuration options Add two to dos: bool for scopes "groups" scope configurable config: Make scope "groups" a feature which can be deactivated init: Make the feature for the groups bool working in the scope variable * Remove double description * Update config.py	2025-02-14 19:03:14 +01:00
renovate[bot]	b39a65ff74	chore: Configure Renovate (#23 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Christiaan Goossens <contact@christiaangoossens.nl>	2025-01-12 13:32:39 +01:00
Christiaan Goossens	63f5f175ee	Fixes Home Assistant error about re-creating HTTP sessions (#22 ) * Bump to 0.5.1 * Prevent HA errors about HTTP session left open	2025-01-12 12:43:41 +01:00
Schakko	bfad0418ad	feat: enable verification of certs via `network.tls_verify` and private CA chains with `network.tls_ca_path` (#16 ) Signed-off-by: Christopher Klein <ckl@dreitier.com>	2025-01-06 10:09:30 +01:00
`@@ -1,4 +1,4 @@`
	`Copyright 2024 Christiaan Goossens`	`Copyright 2024-2025 Christiaan Goossens`

	`Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:`	`Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:`
		`@@ -0,0 +1,3 @@`
							`@import "tailwindcss";`

							`@source "../views/templates";`