Universal authentication provider for external services

[bob1de]

Hi,

I wrote an universal auth provider that calls a user-defined program, passing username and password via environment and then grants access on returncode 0. It works similar to the auth-user-pass-verify option of OpenVPN. Even the visible name for the user can be written to stdout by the external program and is then added to HA's database. It's all fully async, of course.

I use it with a very simple shell script that uses curl to do LDAP authentication (including group membership checks), works like a charm, even in the official Docker image, thanks to curl being available there.

It could be used for all kinds of authentication mechanisms, like PAM, flat databases, etc.

If you'd appreciate it, I could write the docs for it and submit a PR.

Best regards
Robert

[rohankapoorcom]

I would be interested in this (would love to see what you've got). I've been thinking about making a fullly integrated LDAP provider and this would be a good way to see how to go about this.

[bob1de]

Yes, I was thinking about a native LDAP provider as well, but find this a lot more flexible. I just extended the companion script to support both curl and ldapsearch.

Docs aren't written yet, but the code is almost ready to share I think.

[bob1de]

And, at least for me, I don't see a reason to reinvent the wheel. With the generic approach, I rely on well-known LDAP clients and get this working with almost no custom code.

[balloob]

Would curl be the right interface or should it just be a "command line auth provider" ?

[rohankapoorcom]

Yeah, I would want to integrate groups with home assistant groups, assuming this allows that, it would be sufficient for my needs.

[bob1de]

For now, it can only grant or revoke access based on custom LDAP filters, including groups, but isn't integrated with HA groups. The developer docs don't seem to provide information about how to do that. Any user is just placed in the system-admin group.

[balloob]

Yeah, that part is still under construction.

[bob1de]

@balloob What I did is a generic one, just executing a configurable program, nothing specific to curl.

[bob1de]

@balloob Good to know.

I included a mechanism to pass custom fields from the program back to HA via stdout, which is currently used only for name, but as soon as an official interface for setting groups is available, that could easily be extended to allow dynamic group placement as well.

[balloob]

What would be the best way to get data back, print JSON ? Or would we provide a value_template and allow users to hack stuff with Jinja2 ?

[bob1de]

Hmm, it's very simple right now, just lines of the form:

KEY=VALUE

like the output of the env command.

[bob1de]

Ah, you talk about making the complete login flow dynamic as well, not just fields to write to the user account, right?

[balloob]

I was thinking just name and groups. Don't want to go too crazy and no one will use it as it's too complicated.

[bob1de]

Yes, my thoughts.

But then, I think, a simple KEY=VALUE list would be enough, or what do you think?

[balloob]

Yeah, that will work.

[bob1de]

Ok, then let me sanitize the code and make the PR, we could then discuss the details. Docs will be done when the API is finalized.

[bob1de]

Alright, there you go. Maybe we should continue discussion in the PR thread.

[bob1de]

Oh seriously, what's going on with GitHub... 404, 405, 504 errors all day long.