Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

legacy_api_password auth provider confusion #28431

Closed
sibbl opened this issue Nov 1, 2019 · 7 comments

Comments

@sibbl
Copy link

@sibbl sibbl commented Nov 1, 2019

Home Assistant release with the issue:
0.101.0

Last working Home Assistant release (if known):
0.100.3

Operating environment (Hass.io/Docker/Windows/etc.):
Hass.io on Raspberry Pi 4

Integration:
Core/auth

Description of problem:
I migrated my config some months ago and removed the legacy password entry from the http: component. I didn't get any deprecation warning and it worked as it's supposed to.

However, after upgrading to 0.101.0 I always get a 401: Unauthorized error.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

homeassistant:
  name: Home
  latitude: !secret home_latitude
  longitude: !secret home_longitude
  customize: !include customize.yaml
  customize_glob: !include customize_glob.yaml
  auth_providers:
  - type: legacy_api_password
    api_password: 1234657890
  - type: homeassistant

Additional information:
A downgrade to 0.100.3 worked fine without having to change anything of the config.

Is there anything I didn't understand correctly? From the release blog post it's a bit hard to understand what has been removed (http: stuff) and what's still there (legacy_api_password auth provider) but as far as I understood from the current docs, the config code above should work fine.

@sibbl

This comment has been minimized.

Copy link
Author

@sibbl sibbl commented Nov 1, 2019

If somebody wonders, the following sections from the version announcment are very confusing.

It is no longer possible to make authenticated requests using trusted networks or by appending ?api_password=X to the URL.
[...]
The support of configuring the auth providers for API Password and Trusted Networks via the HTTP configuration is also removed. It now needs to be configured in the auth provider section (docs).

At least I have no idea which one tells the actual truth especially since

  1. there's no warning telling me that my config includes an invalid auth provider
  2. the docs still mention the auth provider to be there
  3. and the code of the provider is also still in the repo?

I'd also really love to remove api_password from my config but the mystrom component requires this feature to be there. If it was removed, I'm not sure if this is the only component which became unusable.

@sibbl sibbl changed the title legacy_api_password auth provider isn't working anymore? legacy_api_password auth provider confusion Nov 1, 2019
@balloob

This comment has been minimized.

Copy link
Member

@balloob balloob commented Nov 1, 2019

The auth providers are still there and supported. With auth providers you can get an access token via the authorize flow. It won't allow you to authenticate by passing some data as part of the url.

@Molodax

This comment has been minimized.

Copy link

@Molodax Molodax commented Nov 2, 2019

I didn't get the explanation from @balloob

@bbrendon

This comment has been minimized.

Copy link
Contributor

@bbrendon bbrendon commented Nov 3, 2019

How can we re-install the api_password auth provider?

Also, the docs haven't been updated. They still say api_password can be used.

Edit. Now I'm more confused. This file is still there. https://github.com/home-assistant/home-assistant/blob/dev/homeassistant/auth/providers/legacy_api_password.py

@bbrendon

This comment has been minimized.

Copy link
Contributor

@bbrendon bbrendon commented Nov 3, 2019

If this gets closed, I've started trying to figure out a way to get it back.
https://community.home-assistant.io/t/anyone-working-on-a-way-to-bring-back-api-password/146085?u=bbrendon

@balloob

This comment has been minimized.

Copy link
Member

@balloob balloob commented Nov 3, 2019

Auth providers are used to log in to Home Assistant. So the legacy API password provider will allow you to login to Home Assistant using an API password:

image

It will not, however, allow you to mark a request as authorized by adding the password to the url.

@sibbl

This comment has been minimized.

Copy link
Author

@sibbl sibbl commented Nov 4, 2019

@balloob thanks for clarification! This indeed makes sense and I've started to migrate away from "api_password" GET parameter now.

For most things, I could simply use webhook automations.

However, some things also required that I could trigger a Node Red node from a webhook which was not that straight forward.
For those who are interested, this is how I call a rest_command from a webhook, which forwards all incoming data to Node Red: https://community.home-assistant.io/t/ha-webhook-node-red-integration/146019

@sibbl sibbl closed this Nov 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.