Feedback on the alpha builds

[christiaangoossens]

Do you have any feedback on the alpha builds? Did you get it running? Which parameters did you use?

[moutasem1989]

Today I installed hass-oidc-auth and configured it with Authentik. It worked as expected with no errors!

[FlyingNimbusCloud]

auth_oidc:
  client_id: "homeassistant"
  discovery_url: "https://auth.mydomain.net/.well-known/openid-configuration"
  features:
    automatic_user_linking: true

worked right away with my Authelia OIDC auth provider as a public client. I was bit confused by the "Just Checking" label on the input box but eventually figured out that's for my OTP.

It worked both by clicking the button for the browser session and it also worked to authenticate the app using the OTP

[christiaangoossens]

Good to hear that it works with Authelia.

You also ran into the main downside at the moment: I have not found any options yet on how to make the Home Assistant UI look better (frontend is hard coded for the normal options, so I cannot send any new texts).

That's why I stuck with reusing the existing MFA UI with 'Just checking' and empty description and error messages, to differentiate it from username/password.

[Node815]

I'm testing this with pocket-ID and have encountered some issues and not sure if it's coming from the settings in the OIDC App or Home Assistant is sending it. From Pocket ID's docker log:

[GIN] 2025/01/01 - 06:24:04 | 400 |     538.557µs |    XX.53.XX.26 | POST     "/api/oidc/authorize/new-client"
Error #01: invalid callback URL, it might be necessary for an admin to fix this

The question I have is the "api/oidc/authorize/new-client" I'm not sure if this would be what Home Assistant is telling it or not. In my OIDC Provider's settings, I've tried using both the /auth/oidc/welcome and /auth/oidc/redirect url after my external domain with no success. It sends correctly to the OIDC app but stops there.

Once I get this fixed, I can write up a guide to setting it up with that program. It actually replaced my original Authentik instance! So, it's my main system.

[Node815]

Thanks! That fixed the callback url problem, but now Home Assistant complained about an invalid token:

So, I added that in which then sent gave me the next screen to auth the login as expected and threw:

My config file:

My account in Pocket-ID (The OIDC provider) uses a completely different username than than the Home Assistant admin account (My IRL first name)

To resolve this, I created a username with my IRL name in Pocket-ID and it worked as expected in full!

All of this to say, your README which I used may need to include a note about some systems using the required Client Secret. I though that it was a bit weird when I set it up last night, but I wanted to try. Additionally, the callback URL wasn't specified in the README (Unless I missed it!) :) Also here #3

So, for Pocket-ID:

If you use a different login than your Home Assistant user, you will need to create it and set it up first.
Set the callback in Pocket ID to Match replacing the HASSURL with your external Home Assistant URL:

In the Home Assistant configuration.yaml : (BE AWARE OF ANY YAML SPACING!)

  auth_oidc:
  client_id: "YOUR CLIENT ID copied from the above screen"
  client_secret: "YOUR SUPER SECRET CLIENT Secret copied from the above screen:"
  discovery_url: "https://Pocket-ID_URL.com/.well-known/openid-configuration"
  features:
      automatic_user_linking: true

Then, save and restart Home Assistant and test!

[christiaangoossens]

@Node815 Some notes on your discoveries:

• You can either configure it as confidential (the default setting apparently for Pocket ID, in which case you indeed need the client secret) or public (the checkbox above the Home Assistant logo in your last screenshot), which was what the README is currently written for (as it's a bit easier to setup). So, if you would have checked that checkbox, you could have left out the client secret.
  • Also make sure to use the !secret helpers such that you never accidentally share your secret (it's effectively still visible in your screenshot as well)
• The issue with the groups (the NoneType error) should be resolved in the next patch release.
  • I will also make the group configurable, so if Pocket ID supports groups you can get admin on your new HA account automatically if you have that group in Pocket ID
  • If you don't have important configuration in your account, this would allow you to use your normal OIDC account instead of the "same-username" one you created.
  • You should disable automatic user linking again after you are done for better security, especially if you delete the "same-username" account in Pocket ID later on.
• I will include the callback URL in the next update of the README, thank you for the suggestion!

[Node815]

The client ID is the public ID so I didn't see the need to obscure that in my screenshot. :)

Pocket ID does have group support, I have admin and standard users. (It's my family) so, myself, wife and daughter who I will be migrating their mobile login to the external Home Assistant login after I get the redirect set up to that URL. Once they are set up, I will disable the user linking.

Thank you so much for making this plugin! I voted a while back in the open letter for OIDC and it does seem Nabu Casa is not too motivated in making this possible so having this as an option is a welcome relief!! 👍

[christiaangoossens]

The client ID is the public ID so I didn't see the need to obscure that in my screenshot. :)

Haha, no I meant that I can just about guess the secret characters because the blur is slightly too high.

Pocket ID does have group support, I have admin and standard users. (It's my family) so, myself, wife and daughter who I will be migrating their mobile login to the external Home Assistant login after I get the redirect set up to that URL. Once they are set up, I will disable the user linking.

If you can, it would be very helpful if you can enable debug mode (HA docs have details on how to do that) and send me a copy of your id token with groups in it, so I can see the format. It should be logged if debug is on. Otherwise, I will get around to that when I test pocket id myself.

Thank you so much for making this plugin! I voted a while back in the open letter for OIDC and it does seem Nabu Casa is not too motivated in making this possible so having this as an option is a welcome relief!! 👍

Thank you! Hope it helps. Make sure to wait a little bit until at least beta to migrate your family, as things might still change or break. Gotta keep that Wife Approval Factor ;)

[Node815]

If you can, it would be very helpful if you can enable debug mode (HA docs have details on how to do that) and send me a copy of your id token with groups in it, so I can see the format. It should be logged if debug is on. Otherwise, I will get around to that when I test pocket id myself.

I run the Home Assistant OS in Promox so I can log into the container and follow logs. I did enable the logger: in the configuration.yaml though for the component and captured an error for the Pocket-ID Admin group user but don't think that would be of help here. (it's mostly async and python errors in the aiohttp and http components. ) Which are more than likely due to the grouping issue.

Thank you! Hope it helps. Make sure to wait a little bit until at least beta to migrate your family, as things might still change or break. Gotta keep that Wife Approval Factor ;)

Of course! I tend to live on the bleeding edge of things on my systems in running beta/alpha stuff periodically. Even my OS is on the bleeding edge and a rolling release distro! My wife only uses her mobile device for anything she does, she rarely uses the HA dashboard except to control our lights. :) We use it for real-time geolocation of our devices when we are out in the metro areas here, so we can know where a family member is. Especially helpful for anxiety prone members of my family!

[begleyt]

Thanks for what you created.

I was able to get this to work with NextCloud OIDC client add on app.

I had to align the Display name in nextcloud with the username in home assistant to get the two exisitng accounts to link. I utlized the claims parameters to accomplish that.

auth_oidc:
  client_id: "{clientID}"
  discovery_url: "https://{yourdomain}/.well-known/openid-configuration"
  display_name: "Login with NextCloud"
  features:
      automatic_user_linking: true
  claims:
    display_name: preferred_username
    username: name

[vilmosnagy]

I just installed my first ever home assistant instance, and I'm very happy that I can use my pre-existing keycloak instance for login (with this my wife does not have to remember passwords).

But is there a way to have something similar to Home Assistant's "Keep me logged in" feature? With the current setup I have to click the login button on every page reload, which is not a huge hassle, but still a bit annoying. Thanks,

[christiaangoossens]

I do stay logged in for page reloads/new tabs, can you give me more details on when you get signed out?

[vilmosnagy]

@christiaangoossens I'll try to upload a video here; it logs me out on a simple reload / F5 key press. The OS is up-to-date Fedora, with an up-to-date Chrome as the browser. I've cropped the URL of my HA server, but if it helps then I try to record a video with the full screen and just the URL blurred.

I didn't have the time to debug more, but if you could point me in a few directions, I'm willing to give it a go. I'm new with Home Assistant, and I have a very small Python experience (I've developed a few Django apps ~10ish years ago as a junior dev).

home-assistant-reload-logout.webm

[christiaangoossens]

@vilmosnagy Can you login with a normal HA account without selecting anything special such as 'keep me logged in'? This seems like an HA bug or a cookie/proxy error.

[vilmosnagy]

@christiaangoossens hm, you seem to be right. Without selecting the keep me logged in function HA logs me out instantly on the first page reload - I always tick these keep me logged in boxes everywhere, that's why I didn't found this issue.

Isn't that suppose to happen? Thanks for the info, gonna take a look at HA's repositories for a similar issue.

[christiaangoossens]

@vilmosnagy Logging in without that checkmark should keep you logged in for 30 minutes (which it does seem to do on my own install), so your OIDC login should stay there for 30 min. If you check 'Keep me logged in', you will stay logged in for longer (indefinitely?)

Your browser might delete your local storage on every refresh, might be a good place to start your search.

[Dreanaught]

I use it with authentik and have no problems.
The only thing i wonder is the discovery-url. On other services, immich for example, the "/.well-known/openod-configuration"-part is not required.

auth_oidc:
  client_id: "clientID"
  client_secret: "clientSecret"
  discovery_url: "https://domain.tld/application/o/home-assistant/.well-known/openid-configuration"
  features:
    automatic_user_linking: false

[christiaangoossens]

You're right, that part is defined, so there is no technical reason we need it. Just chose to include it because it's easy to recognise and to instruct people to copy the '.well-known/openid-configuration' URL.

[deftmartian]

Greate work on this. I use Authentik. Was using a buggy forward auth config previously.

It took me a minute to figure out how to fix the following error:

2025-02-23 15:48:59.535 WARNING (MainThread) [custom_components.auth_oidc.oidc_client] ID Token received signed with the wrong algorithm: ES256, expected RS256
2025-02-23 15:48:59.535 WARNING (MainThread) [custom_components.auth_oidc.oidc_client] Failed to complete token flow, returning None. ()

Had debugging enabled, but didn't realize it was a config option. My cert is signed by letsencrypt

[christiaangoossens]

The best way to resolve this is within Authentik by enabling the signing certificate there. Still has to be added to the guide too.

[deftmartian]

Sorry, I wasn't very clear. I had enabled letsencrypt cert as the signing key in the Authentik provider. The hass-oidc-auth integration expects a RS256 key by default.

once I updated my config to change this to ES256, everything worked as expected.

my config:

auth_oidc:
    client_id: "example"
    client_secret: !secret oidc_client_secret
    discovery_url: "https://example.com/.well-known/openid-configuration"
    id_token_signing_alg: "ES256"