Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/BeryJu/hass-auth-header

Home Assistant custom component, which allows you to delegate authentication to a reverse proxy.
https://github.com/BeryJu/hass-auth-header

Last synced: 5 days ago
JSON representation

Home Assistant custom component, which allows you to delegate authentication to a reverse proxy.

Host: GitHub
URL: https://github.com/BeryJu/hass-auth-header
Owner: BeryJu
License: gpl-3.0
Created: 2020-10-06T15:20:13.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2024-04-26T09:48:51.000Z (7 months ago)
Last Synced: 2024-05-01T16:48:07.311Z (6 months ago)
Language: Python
Homepage:
Size: 11 MB
Stars: 201
Watchers: 6
Forks: 16
Open Issues: 16
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Header Auth for Home Assistant

This custom component allows you to delegate authentication to a reverse proxy.

This integrations checks the value of a configured header and authenticates based on its value. The value of the header is
checked against usernames AND full names. Users have to be created in Home Assistant by hand.

**Use with caution. If misconfigured, this can lead to a Home Assistant instance that anyone can access**

## Installation

Add this repository to [HACS](https://hacs.xyz/).

Update your configuration.yaml file with

```yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 1.2.3.4/32 # This needs to be set to the IP of your reverse proxy
auth_header:
# Optionally set this if you're not using authentik proxy or oauth2_proxy
# username_header: X-Forwarded-Preferred-Username
# Optionally enable debug mode to see the headers Home-Assistant gets
# debug: false
# Optionally, if something is not working right, add this block below to get more information
logger:
default: info
logs:
custom_components.auth_header: debug
```

Afterwards, restart Home Assistant.

![](./.github/demo.gif)

## CSRF Errors when used with oauth2_proxy or authentik

See https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477

## How it works

On boot, two main things are done when the integration is enabled:

1. The default `LoginFlowIndexView` view is replaced. This view is called when you submit the login form. The replacement for this view, `RequestLoginFlowResourceView`, simply adds the HTTP Request to the context. This context is passed to authentication Providers.

Normally the Request is not included, as none of the providers require it.

2. The Header Authentication Provider is injected into the providers, *before* the other authentication providers.

This ensures that Header auth is tried first, and if it fails the user can still use username/password.

## Help! Everything is broken!

If anything goes wrong or Home Assistant fails to load the component correctly, simply remove the `auth_header` block from your configuration file and restart HASS.