Home Assistant OIDC (oauth2-proxy, Traefik Forward-Auth)

[muhlba91]

Home Assistant doesn't support OIDC out-of-the-box, and as per https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223 and home-assistant/architecture#832 it doesn't seem likely this will be implemented.

https://github.com/BeryJu/hass-auth-header offers an option to add authentication by setting an HTTP Header containing the username. This allows logging in through a proxy.

https://github.com/oauth2-proxy/oauth2-proxy provides a proxy that allows logging in through OIDC and setting an HTTP header and its value to a claim (alpha configuration needed).

An example configuration of the oauth2-proxy can look like this:

server:
  BindAddress: '0.0.0.0:4180'
upstreamConfig:
  upstreams:
    - id: static_200
      path: /
      static: true
      staticCode: 200
injectResponseHeaders:
  - name: X-Auth-User
    values:
      - claim: preferred_username
  - name: X-Auth-User-ID
    values:
      - claim: user
  - name: X-Auth-User-Email
    values:
      - claim: email
providers:
   - id: oauth
     provider: oidc
     clientID: <CLIENT_ID>
     clientSecret: >CLIENT_SECRET>
     scope: openid email profile
     oidcConfig:
       issuerURL: <ISSUER_URL>
       userIDClaim: sub
       emailClaim: email
       audienceClaims:
         - aud

In this case, the proxy must be started with the following arguments:

- --cookie-secret=<COOKIE_SECRET>
- --redirect-url=<REDIRECT_URL> # ends in /oauth2/callback
- --email-domain=*
- --alpha-config=/etc/oauth2_proxy/oauth2_proxy.cfg

To enable the proxy using Traefik in the cluster, a Middleware must be created:

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: fwauth
  namespace: whoami
spec:
  forwardAuth:
    address: <OAUTH2_PROXY_URL> # ends in /oauth2/
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-User
      - X-Auth-User-ID
      - X-Auth-User-Email
    tls:
      insecureSkipVerify: true

To use this middleware conditionally, instead of an Ingress, an IngressRoute must be defined:

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: whoami
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`whoami.domain.com)
      kind: Rule
      services:
        - name: whoami
          port: 80
    - match: Host(`whoami.domain.com`) && PathPrefix(`/auth/`) && !PathPrefix(`/auth/token`) && !HeaderRegexp(`User-Agent`, `io.robbie.HomeAssistant`) && !Query(`redirect_uri`, `homeassistant://auth-callback`)
      kind: Rule
      middlewares:
        - name: fwauth
          namespace: whoami
      services:
        - name: whoami
          port: 80
    - match: Host(`whoami.domain.com`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy
          port: 80

Here, the oauth2-proxy gets placed behind /oauth2/ and the only paths to be proxied with authentication of HA are /auth/* except /auth/token. Additionally, the app must be excluded since it doesn't support OIDC.