Core: legacy_api_password auth provider confusion

Created on 1 Nov 2019  路  7Comments  路  Source: home-assistant/core

Home Assistant release with the issue:
0.101.0

Last working Home Assistant release (if known):
0.100.3

Operating environment (Hass.io/Docker/Windows/etc.):
Hass.io on Raspberry Pi 4

Integration:
Core/auth

Description of problem:
I migrated my config some months ago and removed the legacy password entry from the http: component. I didn't get any deprecation warning and it worked as it's supposed to.

However, after upgrading to 0.101.0 I always get a 401: Unauthorized error.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

homeassistant:
  name: Home
  latitude: !secret home_latitude
  longitude: !secret home_longitude
  customize: !include customize.yaml
  customize_glob: !include customize_glob.yaml
  auth_providers:
  - type: legacy_api_password
    api_password: 1234657890
  - type: homeassistant

Additional information:
A downgrade to 0.100.3 worked fine without having to change anything of the config.

Is there anything I didn't understand correctly? From the release blog post it's a bit hard to understand what has been removed (http: stuff) and what's still there (legacy_api_password auth provider) but as far as I understood from the current docs, the config code above should work fine.

picture sibbl

Most helpful comment

Auth providers are used to log in to Home Assistant. So the legacy API password provider will allow you to login to Home Assistant using an API password:

image

It will not, however, allow you to mark a request as authorized by adding the password to the url.

picture balloob on 3 Nov 2019
👍2

All 7 comments

If somebody wonders, the following sections from the version announcment are very confusing.

It is no longer possible to make authenticated requests using trusted networks or by appending ?api_password=X to the URL.
[...]
The support of configuring the auth providers for API Password and Trusted Networks via the HTTP configuration is also removed. It now needs to be configured in the auth provider section (docs).

At least I have no idea which one tells the actual truth especially since
1) there's no warning telling me that my config includes an invalid auth provider
2) the docs still mention the auth provider to be there
3) and the code of the provider is also still in the repo?

I'd also really love to remove api_password from my config but the mystrom component requires this feature to be there. If it was removed, I'm not sure if this is the only component which became unusable.

sibbl picture sibbl on 1 Nov 2019
👍2

The auth providers are still there and supported. With auth providers you can get an access token via the authorize flow. It won't allow you to authenticate by passing some data as part of the url.

balloob picture balloob on 1 Nov 2019

I didn't get the explanation from @balloob

Molodax picture Molodax on 2 Nov 2019

How can we re-install the api_password auth provider?

Also, the docs haven't been updated. They still say api_password can be used.

Edit. Now I'm more confused. This file is still there. https://github.com/home-assistant/home-assistant/blob/dev/homeassistant/auth/providers/legacy_api_password.py

bbrendon picture bbrendon on 3 Nov 2019

If this gets closed, I've started trying to figure out a way to get it back.
https://community.home-assistant.io/t/anyone-working-on-a-way-to-bring-back-api-password/146085?u=bbrendon

bbrendon picture bbrendon on 3 Nov 2019

Auth providers are used to log in to Home Assistant. So the legacy API password provider will allow you to login to Home Assistant using an API password:

image

It will not, however, allow you to mark a request as authorized by adding the password to the url.

balloob picture balloob on 3 Nov 2019
👍2

@balloob thanks for clarification! This indeed makes sense and I've started to migrate away from "api_password" GET parameter now.

For most things, I could simply use webhook automations.

However, some things also required that I could trigger a Node Red node from a webhook which was not that straight forward.
For those who are interested, this is how I call a rest_command from a webhook, which forwards all incoming data to Node Red: https://community.home-assistant.io/t/ha-webhook-node-red-integration/146019

sibbl picture sibbl on 4 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

flsabourin picture flsabourin  路  3Comments
sogeniusio picture sogeniusio  路  3Comments
neonandu picture neonandu  路  3Comments
ofuangka picture ofuangka  路  3Comments
Konstigt picture Konstigt  路  3Comments