Core: Universal authentication provider for external services
Hi,
I wrote an universal auth provider that calls a user-defined program, passing username and password via environment and then grants access on returncode 0. It works similar to the auth-user-pass-verify option of OpenVPN. Even the visible name for the user can be written to stdout by the external program and is then added to HA's database. It's all fully async, of course.
I use it with a very simple shell script that uses curl to do LDAP authentication (including group membership checks), works like a charm, even in the official Docker image, thanks to curl being available there.
It could be used for all kinds of authentication mechanisms, like PAM, flat databases, etc.
If you'd appreciate it, I could write the docs for it and submit a PR.
Best regards
Robert
efficiosoft
All 18 comments
I would be interested in this (would love to see what you've got). I've been thinking about making a fullly integrated LDAP provider and this would be a good way to see how to go about this.
rohankapoorcom
on 11 Jan 2019
Yes, I was thinking about a native LDAP provider as well, but find this a lot more flexible. I just extended the companion script to support both curl and ldapsearch.
Docs aren't written yet, but the code is almost ready to share I think.
efficiosoft
on 11 Jan 2019
And, at least for me, I don't see a reason to reinvent the wheel. With the generic approach, I rely on well-known LDAP clients and get this working with almost no custom code.
efficiosoft
on 11 Jan 2019
Would curl be the right interface or should it just be a "command line auth provider" ?
balloob
on 11 Jan 2019
Yeah, I would want to integrate groups with home assistant groups, assuming this allows that, it would be sufficient for my needs.
rohankapoorcom
on 11 Jan 2019
For now, it can only grant or revoke access based on custom LDAP filters, including groups, but isn't integrated with HA groups. The developer docs don't seem to provide information about how to do that. Any user is just placed in the system-admin group.
efficiosoft
on 11 Jan 2019
Yeah, that part is still under construction.
balloob
on 11 Jan 2019
@balloob What I did is a generic one, just executing a configurable program, nothing specific to curl.
efficiosoft
on 11 Jan 2019
@balloob Good to know.
I included a mechanism to pass custom fields from the program back to HA via stdout, which is currently used only for name, but as soon as an official interface for setting groups is available, that could easily be extended to allow dynamic group placement as well.
efficiosoft
on 11 Jan 2019
What would be the best way to get data back, print JSON ? Or would we provide a value_template and allow users to hack stuff with Jinja2 ?
balloob
on 11 Jan 2019
Hmm, it's very simple right now, just lines of the form:
KEY=VALUE
like the output of the env command.
efficiosoft
on 11 Jan 2019
Ah, you talk about making the complete login flow dynamic as well, not just fields to write to the user account, right?
efficiosoft
on 11 Jan 2019
I was thinking just name and groups. Don't want to go too crazy and no one will use it as it's too complicated.
balloob
on 11 Jan 2019
Yes, my thoughts.
But then, I think, a simple KEY=VALUE list would be enough, or what do you think?
efficiosoft
on 11 Jan 2019
Yeah, that will work.
balloob
on 11 Jan 2019
Ok, then let me sanitize the code and make the PR, we could then discuss the details. Docs will be done when the API is finalized.
efficiosoft
on 11 Jan 2019
Alright, there you go. Maybe we should continue discussion in the PR thread.
efficiosoft
on 11 Jan 2019
Oh seriously, what's going on with GitHub... 404, 405, 504 errors all day long.
efficiosoft
on 11 Jan 2019
Related issues
coolriku
路
3Comments
Elmardus
路
3Comments
missedtheapex
路
3Comments
ofuangka
路
3Comments
TheZoker
路
3Comments