-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Universal authentication provider for external services #19975
Comments
I would be interested in this (would love to see what you've got). I've been thinking about making a fullly integrated LDAP provider and this would be a good way to see how to go about this. |
Yes, I was thinking about a native LDAP provider as well, but find this a lot more flexible. I just extended the companion script to support both Docs aren't written yet, but the code is almost ready to share I think. |
And, at least for me, I don't see a reason to reinvent the wheel. With the generic approach, I rely on well-known LDAP clients and get this working with almost no custom code. |
Would curl be the right interface or should it just be a "command line auth provider" ? |
Yeah, I would want to integrate groups with home assistant groups, assuming this allows that, it would be sufficient for my needs. |
For now, it can only grant or revoke access based on custom LDAP filters, including groups, but isn't integrated with HA groups. The developer docs don't seem to provide information about how to do that. Any user is just placed in the system-admin group. |
Yeah, that part is still under construction. |
@balloob What I did is a generic one, just executing a configurable program, nothing specific to curl. |
@balloob Good to know. I included a mechanism to pass custom fields from the program back to HA via stdout, which is currently used only for |
What would be the best way to get data back, print JSON ? Or would we provide a value_template and allow users to hack stuff with Jinja2 ? |
Hmm, it's very simple right now, just lines of the form:
like the output of the |
Ah, you talk about making the complete login flow dynamic as well, not just fields to write to the user account, right? |
I was thinking just name and groups. Don't want to go too crazy and no one will use it as it's too complicated. |
Yes, my thoughts. But then, I think, a simple |
Yeah, that will work. |
Ok, then let me sanitize the code and make the PR, we could then discuss the details. Docs will be done when the API is finalized. |
Alright, there you go. Maybe we should continue discussion in the PR thread. |
Oh seriously, what's going on with GitHub... 404, 405, 504 errors all day long. |
…g a command (#19985) * Added external auth provider that calls a configurable program Closes #19975 * Raise proper InvalidAuth exception on OSError during program execution * Changed name of external auth provider to command_line * Renamed program config option to command in command_line auth provider * Made meta variable parsing in command_line auth provider optional * Added tests for command_line auth provider * Fixed indentation * Suppressed wrong pylint warning * Fixed linting * Added test for command line auth provider login flow * Log error when user fails authentication * Use %r formatter instead of explicit repr() * Mix all used names of typing module into module namespace I consider this nasty and bad coding style, but was requested by @awarecan for consistency with the remaining codebase. * Small code style change * Strip usernames with command_line auth provider
…g a command (home-assistant#19985) * Added external auth provider that calls a configurable program Closes home-assistant#19975 * Raise proper InvalidAuth exception on OSError during program execution * Changed name of external auth provider to command_line * Renamed program config option to command in command_line auth provider * Made meta variable parsing in command_line auth provider optional * Added tests for command_line auth provider * Fixed indentation * Suppressed wrong pylint warning * Fixed linting * Added test for command line auth provider login flow * Log error when user fails authentication * Use %r formatter instead of explicit repr() * Mix all used names of typing module into module namespace I consider this nasty and bad coding style, but was requested by @awarecan for consistency with the remaining codebase. * Small code style change * Strip usernames with command_line auth provider
Hi,
I wrote an universal auth provider that calls a user-defined program, passing username and password via environment and then grants access on returncode 0. It works similar to the
auth-user-pass-verify
option of OpenVPN. Even the visible name for the user can be written to stdout by the external program and is then added to HA's database. It's all fully async, of course.I use it with a very simple shell script that uses
curl
to do LDAP authentication (including group membership checks), works like a charm, even in the official Docker image, thanks tocurl
being available there.It could be used for all kinds of authentication mechanisms, like PAM, flat databases, etc.
If you'd appreciate it, I could write the docs for it and submit a PR.
Best regards
Robert
The text was updated successfully, but these errors were encountered: