146 lines
4.4 KiB
Markdown
146 lines
4.4 KiB
Markdown
# Kanidm
|
|
|
|
## Public client configuration
|
|
|
|
[Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
|
|
|
|
```yaml
|
|
auth_oidc:
|
|
client_id: "homeassistant"
|
|
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
|
|
features:
|
|
automatic_person_creation: true
|
|
id_token_signing_alg: "ES256"
|
|
roles:
|
|
admin: "homeassistant_admins@idm.example.org"
|
|
user: "idm_all_persons@idm.example.org"
|
|
```
|
|
|
|
[Kanidm](https://github.com/kanidm/kanidm)
|
|
|
|
1. Create your Kanidm account, if you don't have one already:
|
|
|
|
```shell
|
|
kanidm person create "your_username" "Your Username" --name "idm_admin"
|
|
```
|
|
|
|
2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
|
|
|
|
```shell
|
|
kanidm group create "homeassistant_admins" --name "idm_admin"
|
|
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
|
|
```
|
|
|
|
3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
|
|
|
|
```shell
|
|
kanidm system oauth2 create-public "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
|
|
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
|
|
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
|
|
```
|
|
|
|
[Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
|
|
|
|
```jsonc
|
|
{
|
|
"groups": {
|
|
"homeassistant_admins": {
|
|
"members": ["your_username"]
|
|
}
|
|
},
|
|
"persons": {
|
|
"your_username": {
|
|
"displayName": "Your Username"
|
|
},
|
|
},
|
|
"systems": {
|
|
"oauth2": {
|
|
"homeassistant": {
|
|
"displayName": "Home Assistant",
|
|
"originLanding": "https://hass.example.org/auth/oidc/welcome",
|
|
"originUrl": "https://hass.example.org/auth/oidc/callback",
|
|
"public": true,
|
|
"scopeMaps": {
|
|
"homeassistant_users": ["email", "groups", "openid", "profile"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Confidential client configuration
|
|
|
|
[Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
|
|
|
|
```yaml
|
|
auth_oidc:
|
|
client_id: "homeassistant"
|
|
client_secret: !secret oidc_client_secret
|
|
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
|
|
features:
|
|
automatic_person_creation: true
|
|
id_token_signing_alg: "ES256"
|
|
roles:
|
|
admin: "homeassistant_admins@idm.example.org"
|
|
user: "idm_all_persons@idm.example.org"
|
|
```
|
|
|
|
[Kanidm](https://github.com/kanidm/kanidm)
|
|
|
|
1. Create your Kanidm account, if you don't have one already:
|
|
|
|
```shell
|
|
kanidm person create "your_username" "Your Username" --name "idm_admin"
|
|
```
|
|
|
|
2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
|
|
|
|
```shell
|
|
kanidm group create "homeassistant_admins" --name "idm_admin"
|
|
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
|
|
```
|
|
|
|
3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
|
|
|
|
```shell
|
|
kanidm system oauth2 create "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
|
|
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
|
|
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
|
|
```
|
|
|
|
4. Get the `homeassistant` OAuth2 client secret from Kanidm:
|
|
|
|
```shell
|
|
kanidm system oauth2 show-basic-secret "homeassistant" --name "idm_admin" | xargs echo 'oidc_client_secret: {}' | tee --append "/var/lib/hass/secrets.yaml"
|
|
```
|
|
|
|
[Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
|
|
|
|
```jsonc
|
|
{
|
|
"groups": {
|
|
"homeassistant_admins": {
|
|
"members": ["your_username"]
|
|
}
|
|
},
|
|
"persons": {
|
|
"your_username": {
|
|
"displayName": "Your Username"
|
|
},
|
|
},
|
|
"systems": {
|
|
"oauth2": {
|
|
"homeassistant": {
|
|
"displayName": "Home Assistant",
|
|
"originLanding": "https://hass.example.org/auth/oidc/welcome",
|
|
"originUrl": "https://hass.example.org/auth/oidc/callback",
|
|
"scopeMaps": {
|
|
"homeassistant_users": ["email", "groups", "openid", "profile"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|