christiaangoossens / hass-oidc-auth Goto Github PK

I know it's a WIP repository, but I don't understand what problem it's trying to solve.

If you're trying to skip the HASS login page (typically by redirecting to some SSO server like Authelia), then there's no way this can work since redirection must happen before the HTTP request's body is started and it's inside the body that the authentication API requests are triggered. Even with a javascript hack trying to change window.location to the SSO's login page, this will create a clunky user experience, where the browser load the (heavy) login page and then throw it away to load the SSO login page.

Due to the code size of HASS, I'm not sure a solution like using a reverse proxy to HASS from Authelia is a good solution either (and again, it's clunky for any automation like the mobile app or any application that's not expecting this lengthy redirect dance).

If I understand correctly what was implemented here, and HASS source code here I think this isn't the right place to act.

Typically, I think it would be better if authentication would be completely bypassed (that is, by changing HASS core behavior to an "Always authenticated" auth provider that would simply ignore authentication if some internal + external header are present) so that the login page is never requested at all.

Then the code would hook into the AuthStore class instead so it can request the OIDC provider here instead (like Authelia or any other) for the user's information, but from the server side. In case of failure (bad authentication, expired token, etc...), it would actually redirect the client (browser/mobile app) to the defined callback before any view is actually generated, so it's a real SSO process.

A mobile app or any other application that isn't expecting this redirect dance can then be bypassed since the required header won't be here, the default HASS login will trigger.

So the process would be something like:

Web: [SSO proxy] => [NGINX ] => [HASS] 
           /\   "X-InternalHeader: present"    

Mobile: [NGINX] => [HASS]
             "No specific header present"

Inside HASS, the pseudo code would do:

AlwaysValidAuthProvider:
   if (X-InternalHeader  present) => change AuthStore to OIDCAuthStore
  else => forward to the next AuthProvider

OIDCAuthStore:
   // From configuration, connect on the OIDC provider to check if a valid token is available. 
   // If no token found, redirect client to Authentication page (next try should succeed then)
   // Else token is valid, extract information from OIDC