[Need help] Use additional http headers to authenticate against Cloudflare SSO. (Or other SSO) #3510
Conversation
|
Hello @Meister1977, When attempting to inspect the commits of your pull request for CLA signature status among all authors we encountered commit(s) which were not linked to a GitHub account, thus not allowing us to determine their status(es). The commits that are missing a linked GitHub account are the following: Unfortunately, we are unable to accept this pull request until this situation is corrected. Here are your options:
We apologize for this inconvenience, especially since it usually bites new contributors to Home Assistant. We hope you understand the need for us to protect ourselves and the great community we all have built legally. The best thing to come out of this is that you only need to fix this once and it benefits the entire Home Assistant and GitHub community. Thanks, I look forward to checking this PR again soon! ❤️ |
|
Hello @Meister1977, When attempting to inspect the commits of your pull request for CLA signature status among all authors we encountered commit(s) which were not linked to a GitHub account, thus not allowing us to determine their status(es). The commits that are missing a linked GitHub account are the following: Unfortunately, we are unable to accept this pull request until this situation is corrected. Here are your options:
We apologize for this inconvenience, especially since it usually bites new contributors to Home Assistant. We hope you understand the need for us to protect ourselves and the great community we all have built legally. The best thing to come out of this is that you only need to fix this once and it benefits the entire Home Assistant and GitHub community. Thanks, I look forward to checking this PR again soon! ❤️ |
|
Hi @Meister1977 It seems you haven't yet signed a CLA. Please do so here. Once you do that we will be able to review and accept this pull request. Thanks! |
home-assistant
bot
added
cla-recheck
cla-signed
and removed
cla-recheck
cla-needed
labels
|
Please delete my email address from the comments. Thanks! |
|
This PR should have some kind of documentation linked to it. Possibly as part of network troubleshooting? Also we may want to update the messaging to make it more clear not every user needs to use this. In fact we should probably hide this when the device is using HA cloud. |
|
I tried your changes, and the app didn't let me reauthenticate when I revoked the session for my Cloudflare Access user. (It can be done here: https://one.dash.cloudflare.com/*****/team/users/view. Obviously, change ***** to the actual hex string for your CF Access account. Then click on the big red After revoking the session, I was able to use a Service widget to toggle a light, so the Maybe I'm doing something wrong 🤷♂️ |
|
@marazmarci , you should create service token in Cloudflare admin, and use that. My change is for this, not to solve the SSO in webview. |
|
@dshokouhi , could you help int the text? I am not native English, so if you can change anything in the strings.xml, please suggest me. |
The Service Token is only used by the I did some testing: I first set the Cloudflare Access application's session duration to 15 minutes. Then I installed your version on my device, used only my Cloudflare domain at the initial setup (not the internal), authenticated inside the When I turned it off, I was able to authenticate in the browser, and when the session expired again (after 15mins), it showed the one.dash.cloudflare.com → Applications → <your HA application> → Settings → turn off I tried exactly the same with the latest release (without your changes), and it behaved exactly the same as I described above. However, there was one difference: I was able to use a Service Button widget with your changes and a Service Token set up. |
|
Works perfectly for me, using Cloudflare Access and Service Tokens to grant access to the companion app to access my HA server behind Nice work, however like @dshokouhi mentioned it, you might change the way options are shown in the settings. |
|
Thanks @mathix420 , because I am not native English speaker, I need help to write the documentation and to change the text in the App. I have already asked @dshokouhi too. |
|
@marazmarci when using service tokens correctly you should not be prompted to authenticate, I don't really understand why you need to enter a PIN. Here is my access config for using service tokens:
Note the use of a
Maybe my setup can help you understand your problem, or maybe you have different requirements than mine that I didn't understand. |
@Meister1977 Sure, I will try to help you with this once I got a bit of free time this week, but I have very few experience with Kotlin so my help might be limited. |
|
Thanks @mathix420 , |
The requested changes do not only concern text/documentation, but also hiding the setting when using HA Cloud as it isn't relevant in that case. |
|
@jpelgrom I am working on it to hide the settings. But I still need the good texts. |
|
@Meister1977 you can push changes here with the hidden/updated settings with placeholders, I will correct the texts. |
...on/src/main/java/io/homeassistant/companion/android/common/data/prefs/PrefsRepositoryImpl.kt
Outdated
Show resolved
Hide resolved
|
Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍 |
|
Supporting these kind of remote connections require hacks, workaround and complicates the maintenance of our codebase. Therefore we will not be able to accept this pull request. Users can continue to use a browser to access their Home Assistant instance if they are using CloudFlare or other similar solutions. |
|
Without remote connection, Home Assistant Companion App loses quite a lot of its usefulness. Location tracking? Useless on LAN Yes, some of the features can work even in the browser version, but only some. |
What an absurd statement to make with all the people following this thread, and the amount of effort gone into making it a reality. as tajnymag said, you're making so many feature useless or your require us to open up unsecure ports on our home networks. I figured something as open as Home Assistant would make an effort to be security conscious but this decision completely goes against that. |
|
@balloob this is crazy a lot of hard work has gone into this, and MANY people want to secure their services using Cloudflare Zero Trust. Adding a few HTTP headers to requests is not a massive hack. I don't see why Home Assistant would not want to support enhanced security. Many other applications support this kind of extra layer of authentication - a layer that protects us from any zero-day bugs in Home Assistant. |
|
I will keep maintenance my fork! |
Thank you! I'll continue to use this security focused version as it seems basic security practices are "too complicated" for the main version. @balloob :
|
|
Sad to see similar PRs getting closed without a sensible solution offered. |
That's what I was thinking. If OIDC support was built in then this wouldn't even be needed as much and there are individuals willing to try to implement this but no support from key individuals to implement it so it gets denied. I use MTLS but that's easy to maintain for a few devices but not if there're many devices it's not easy easy. |
|
What an absurd statement, how is adding a few lines to a request considered a "hack"? I get the feeling that the fact that a solution like this is in direct opposition to Home assistant Cloud somehow plays a part in this... |
@Gathaeryx Would make more sense than "headers are too complicated / hacky". Could be onto something.. |
I pay for Home Assistant cloud but prefer to use Cloudflare. |
|
I've spoken to one of the developers on the Discord channel, and the main blocker seems to be that WebView doesn't support extra headers, so they are not used on the front end part of the app. If that is true then that doesn't really sound great. A user would expect the headers to be used throughout, not on only part of the app. |
|
@garysargentpersonal I use my fork since last June, and it works. |
|
@garysargentpersonal so, there are two type of connections. One of them is the "api calls". These calls happenning in the background. These calls need the api-key in the header, because oauth tokens expire. |
|
That does sound a bit hacky though and very tied into cloudflare. It isn't going to work with any other protection using just http header authentication is it? Like nginx. |
|
@garysargentpersonal it just adds header fields that you can set to anything. It'll work with anything that can receive the headers. Nothing specifically to do with cloudflare. The name and value can be set , so it's very generic |
|
It doesn't though thats the problem. It doesn't add them to requests from WebView. |
🤔 https://mobitechwise.com/ios/how-to-customize-webview-headers-on-ios-and-android/ |
Hi! Yes, true, technically you can add custom headers, but as I wrote at the end of this comment, |
|
Thanks for the clarification @marazmarci that does explain the comments mentioned from Discord. |
|
Too be honest, Reading through what you linked, including the open letter and trying to get a general jist of what's going on. It really does paint a picture that home assistant doesn't care about security. Every possible way people are suggesting to tighten things up seems to have some form of problem. One day HA is gonna have a big problem appear. A zero day, unseen by everyone and people are gonna point back to these discussions and hind sight will be 20/20. Dont even get me started on "My dad isn't gonna setup oidc" - my dad also isn't gonna setup MFA but anyone wanna argue MFA is useless ? There's an opportunity to work this out and try progress things , instead of shutting down PRs that are making things more secure. |
|
They do say mTLS is supported, which cloudflare supports. That might allow the HA companion app to work through Cloudflare zero trust. |
Yes, mTLS is supported and works with Cloudflare indeed. It also works in the HA Wear OS app. I put together a small guide mainly for future myself, but I hope it can be also useful for others: |
|
thanks for mTLS guide , disappointed in the dev's not wanting to help with a solution |
|
I know its frustrating but blaming the devs isn't the answer. They have helped quite a few times adding comments. They are just not what you want to hear, which essentially is Android has some limitations which mean a neat solution that works for everyone without quirks isn't possible. |
|
Thanks for all the feedback. This is not the right place to discuss this further, please join our community forums or Discord chat. There are enough other options that do work with the app including a VPN, Home Assistant Cloud or opening a port on your router. |
Summary
Added option to define 2 additional http headers to use Cloudflare Zero Trust with service token. (Or other SSO systems).
#2650
Screenshots
Link to pull request in Documentation repository
Any other notes
Please feel free to decline the pull request, I am not a kotlin developer, just added this feature, because I needed. If you can use any part of this commit to add this feature in a better way, just do it.