4.4 KiB
4.4 KiB
Kanidm
Public client configuration
Home Assistant /var/lib/hass/configuration.yaml
auth_oidc:
client_id: "homeassistant"
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
features:
automatic_person_creation: true
id_token_signing_alg: "ES256"
roles:
admin: "homeassistant_admins@idm.example.org"
user: "idm_all_persons@idm.example.org"
- Create your Kanidm account, if you don't have one already:
kanidm person create "your_username" "Your Username" --name "idm_admin"
- Create a new Kanidm group for your HomeAssistant administrators (
homeassistant_admins), and add your regular account to it:
kanidm group create "homeassistant_admins" --name "idm_admin"
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
- Create a new OAuth2 application configuration in Kanidm (
homeassistant), configure the redirect URL, and scope access:
kanidm system oauth2 create-public "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
Kanidm Provision state.json
{
"groups": {
"homeassistant_admins": {
"members": ["your_username"]
}
},
"persons": {
"your_username": {
"displayName": "Your Username"
},
},
"systems": {
"oauth2": {
"homeassistant": {
"displayName": "Home Assistant",
"originLanding": "https://hass.example.org/auth/oidc/welcome",
"originUrl": "https://hass.example.org/auth/oidc/callback",
"public": true,
"scopeMaps": {
"homeassistant_users": ["email", "groups", "openid", "profile"]
}
}
}
}
}
Confidential client configuration
Home Assistant /var/lib/hass/configuration.yaml
auth_oidc:
client_id: "homeassistant"
client_secret: !secret oidc_client_secret
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
features:
automatic_person_creation: true
id_token_signing_alg: "ES256"
roles:
admin: "homeassistant_admins@idm.example.org"
user: "idm_all_persons@idm.example.org"
- Create your Kanidm account, if you don't have one already:
kanidm person create "your_username" "Your Username" --name "idm_admin"
- Create a new Kanidm group for your HomeAssistant administrators (
homeassistant_admins), and add your regular account to it:
kanidm group create "homeassistant_admins" --name "idm_admin"
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
- Create a new OAuth2 application configuration in Kanidm (
homeassistant), configure the redirect URL, and scope access:
kanidm system oauth2 create "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
- Get the
homeassistantOAuth2 client secret from Kanidm:
kanidm system oauth2 show-basic-secret "homeassistant" --name "idm_admin" | xargs echo 'oidc_client_secret: {}' | tee --append "/var/lib/hass/secrets.yaml"
Kanidm Provision state.json
{
"groups": {
"homeassistant_admins": {
"members": ["your_username"]
}
},
"persons": {
"your_username": {
"displayName": "Your Username"
},
},
"systems": {
"oauth2": {
"homeassistant": {
"displayName": "Home Assistant",
"originLanding": "https://hass.example.org/auth/oidc/welcome",
"originUrl": "https://hass.example.org/auth/oidc/callback",
"scopeMaps": {
"homeassistant_users": ["email", "groups", "openid", "profile"]
}
}
}
}
}